CVE-2022-25845 : The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).

Published 2022-06-10 20:15:08

Updated 2023-02-23 17:51:58

Source Snyk

View at NVD, CVE.org

Products affected by CVE-2022-25845

Oracle » Communications Cloud Native Core Unified Data Repository » Version: 22.2.0
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*
Matching versions
Alibaba » Fastjson
Versions before (<) 1.2.83
cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-25845

EPSS FAQ

90.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-25845

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	Snyk
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-25845

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-25845

https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15

bug fix for autotype · alibaba/fastjson@8f3410f · GitHub
Patch;Third Party Advisory
https://www.ddosi.org/fastjson-poc/

fastjson 1.2.80版本反序列化漏洞poc - 🔰雨苁ℒ🔰
Exploit;Third Party Advisory
https://github.com/alibaba/fastjson/wiki/security_update_20220523

security_update_20220523 · alibaba/fastjson Wiki · GitHub
Third Party Advisory
https://github.com/alibaba/fastjson/releases/tag/1.2.83

Release FASTJSON 1.2.83版本发布（安全修复） · alibaba/fastjson · GitHub
Release Notes;Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222

Deserialization of Untrusted Data in com.alibaba:fastjson | CVE-2022-25845 | Snyk
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d

bug fix for autoType · alibaba/fastjson@35db4ad · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-25845

Products affected by CVE-2022-25845

Exploit prediction scoring system (EPSS) score for CVE-2022-25845

CVSS scores for CVE-2022-25845

CWE ids for CVE-2022-25845

References for CVE-2022-25845