Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

Back to All

CVE

CVE-2022-25845

Unsafe deserialization in com.alibaba:fastjson

Description

The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.

Base CVSS

9.8

EPSS Score

90.08%

Introduced Version

1.1.20

Fix Available

1.2.83

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

References

https://github.com/alibaba/fastjson/releases/tag/1.2.83

https://github.com/alibaba/fastjson

https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d

https://nvd.nist.gov/vuln/detail/CVE-2022-25845

https://www.ddosi.org/fastjson-poc

https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15

https://github.com/alibaba/fastjson/wiki/security_update_20220523

https://www.oracle.com/security-alerts/cpujul2022.html

https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.