Headline
GHSA-jm7w-5684-pvh8: FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-70974
FASTJSON Includes Functionality from Untrusted Control Sphere
Critical severity GitHub Reviewed Published Jan 9, 2026 to the GitHub Advisory Database • Updated Jan 9, 2026
Package
maven com.alibaba:fastjson (Maven)
Affected versions
< 1.2.48
Description
Published to the GitHub Advisory Database
Jan 9, 2026