CVE-2022-25845
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-25845
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25845.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-25845
- Aliases
- Related
- Published
- 2022-06-10T20:15:08.117Z
- Modified
- 2025-11-19T17:34:04.591777Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
- References
-
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- https://github.com/alibaba/fastjson/releases/tag/1.2.83
- https://github.com/alibaba/fastjson/wiki/security_update_20220523
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- https://www.ddosi.org/fastjson-poc/
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Git / github.com/alibaba/fastjson
Affected ranges
- Type
- GIT
- Repo
- https://github.com/alibaba/fastjson
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"61024697520050202701621572067117824757",
"299278800782337073088942980025648933138"
]
},
"id": "CVE-2022-25845-1b85b0de",
"source": "https://github.com/alibaba/fastjson/commit/26f13f84fdd522de10678e43f55fde918ab7b347",
"signature_type": "Line",
"target": {
"file": "src/main/java/com/alibaba/fastjson/JSON.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 496.0,
"function_hash": "263709127359607957505066787466238883719"
},
"id": "CVE-2022-25845-2ececd91",
"source": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15",
"signature_type": "Function",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/PointTest2.java",
"function": "test_point"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"42019374667715151548414386455597848271",
"261647332084669642067673889074193407907",
"140652181733654025014420524657994915642",
"281677047825629461810306487545906737319",
"42344365482721568115775040764119899550",
"254488526636465409923827814493820827872",
"49913526691816752756705378546368183645",
"132183748340968926055092878820199561410",
"156858443304170883432898439978142462304",
"88061640506583648181423432113786249999",
"312233732510431193073146015508573863848",
"135489702588547835646695090408342491553",
"128148263078011778332722549528505039295",
"194755019387191719519394707370691003228",
"37789225863914031121875611446504120094",
"53144270407581646639484539682170737568",
"238299898149172482960273210745948667370",
"61720797564892288091435181523276315527",
"220146179592950675355142283854598856213",
"86449347169640609840825447401542692571",
"161512536767571553818986129398903362583",
"185191352221934877561875350592375496405",
"246125325798476598517410149646837409229",
"239250099492412344066030563567670406529",
"274534710593711184383895400790624615892",
"247086880050703216695258984153205170608",
"291434916556184221354847747186853857873",
"114724774186460852979732007555435287230",
"110912965948561628047095055388931416228",
"86728366194803233130514475274098431063",
"92132590868500742699976083404475379917",
"110253794791082447594130223549992602360",
"150311191359098418195106862007470667357",
"68127192807873558300546325950907091928",
"257174281971252908410083431901768124606",
"156661812714532894813963664888815193134",
"22555810421602849679738864098775285326",
"28294348546258085355871189317662304685",
"198442294796523179829112633889137251492",
"239552984243007006362474039758678824054",
"137838775446629889243361775167923328005",
"164535402268719813254638406688155991116",
"24535438523346546395283953533138832349",
"305505177723542457417771748079052646423",
"22594433761210503568401996059479269374",
"147519113533513755760476834195306337670",
"109438782601948442361221323390461224721",
"108370928176284982373927645155840684438",
"172610104072177208318374416424507283744",
"173982959830285498680711886129017996223",
"257905104262350477702357137341305454418",
"314369326295053333171928106470504602310",
"14535924420209791383866767963920337849",
"81452139915633522815676464911882533244",
"140586724875599386380932660728555728047",
"325377413254581394098306480201053172646",
"17270619930087626191052675823308302589",
"125648168627692082683766204151380102727",
"179227163271768488295561188507685525347",
"164437503825906020546370955693321941374",
"115702398258520763902560805589070144931",
"26378778051551351512028745259876588752",
"153398886045706505036261299964847292672",
"298649941837505280518897706664212961315",
"282733859300870437927482783796393401331",
"145371376845343627788362004901246686103",
"135717222437622676537684030412648010311",
"301221374054761452611723826904016319759",
"9999553244590762179180539078362410675",
"137531530795646165778657260825453629174",
"173230956339928869567501147124263420942",
"203322116337848706140214141757205144408",
"170672131831968689939747766393964734741",
"66781267003266104305615643665111944685",
"191962870328976087574734121280085330359",
"11767683388579311843561642416002044371",
"11530123334182055188826253827836930710",
"179197548024987212124385182998738869663"
]
},
"id": "CVE-2022-25845-3170e760",
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"signature_type": "Line",
"target": {
"file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"327656689625169491807666196008214900878",
"264184945322064187024201558092645048986",
"59217624312272304474253748749603366137",
"289059678654717703797742436058568310759",
"98780712871516867734269464847596618482",
"308930319451266143944166162017117647243",
"22030314772773981362218784200177426196",
"217152839289230024632560064188348811825"
]
},
"id": "CVE-2022-25845-4fa7a2f7",
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"signature_type": "Line",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/bug/Bug_for_Exception.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 5379.0,
"function_hash": "117009548729306227632091226377174928215"
},
"id": "CVE-2022-25845-636e551a",
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"signature_type": "Function",
"target": {
"file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java",
"function": "checkAutoType"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"307354704135657781910514977929763440486",
"51975395138924324950625600576954410951",
"271777464816131209055282230261021351129",
"163560256713937870037448241114952760138",
"321890371100865715481734615895251214529",
"32002887047850819828764123837068232168"
]
},
"id": "CVE-2022-25845-7c98c97b",
"source": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15",
"signature_type": "Line",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/PointTest2.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 192.0,
"function_hash": "119569938027679302348743738115144129512"
},
"id": "CVE-2022-25845-f23c538b",
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"signature_type": "Function",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/bug/Bug_for_Exception.java",
"function": "test_exception"
},
"signature_version": "v1",
"deprecated": false
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25845.json"