A high-severity security vulnerability in the popular Fastjson library was discovered that could be exploited to achieve remote code execution on the target system. Fastjson is a Java library that is used to convert Java Objects into their JSON representation and vice versa.
The vulnerability, tracked as CVE-2022-25845, relates to an issue of deserialization of untrusted data in a feature called “AutoType.” The AutoType feature, which is enabled by default in older versions of Fastjson, is designed to allow for dynamic code that will automatically be induced as a class based on the input JSON object. If the deserialized JSON is user-controlled, however, the AutoType parsing can allow an attacker to instantiate any class available on the Classpath and feed arbitrary arguments along with it, allowing for potential remote code execution on the system.
The maintainers of Fastjson have released a patch for this vulnerability to fully remediate the issue. The vulnerability can also be mitigated prior to patching by enabling Fastjson’s “Safe Mode” feature.