CVE-2022-25845
Deserialization of Untrusted Data vulnerability in fastjson (Maven)
What is CVE-2022-25845 About?
This vulnerability is a Deserialization of Untrusted Data flaw in the Fastjson library, allowing attackers to bypass security restrictions. Successful exploitation can lead to execution of arbitrary code on remote servers, making it a critical issue with a moderate to high ease of exploitation under certain conditions.
Affected Software
Technical Details
The Fastjson library (com.alibaba:fastjson before 1.2.83) is susceptible to a Deserialization of Untrusted Data vulnerability. This occurs when the autoType shutdown restrictions, designed to prevent deserialization of arbitrary classes, are bypassed. Attackers can craft malicious serialized data that, when deserialized by a vulnerable application, can instantiate arbitrary classes and invoke their methods. This can lead to remote code execution on the server if suitable gadgets are available in the classpath, allowing attackers to compromise remote servers.
What is the Impact of CVE-2022-25845?
Successful exploitation may allow attackers to execute arbitrary code, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2022-25845?
Exploitation typically involves crafting specific JSON payloads that bypass autoType restrictions. This usually requires knowledge of the target application's classpath to identify suitable deserialization gadgets. Authentication is not typically required to trigger the deserialization process itself, but it depends on how the Fastjson library is exposed in the application. Privilege requirements are low, as the initial deserialization often happens within the context of the application's user. Exploitation is remote. The primary constraint is the attacker's ability to send controlled input to a vulnerable endpoint that deserializes it using Fastjson. Risk factors increase if the application directly exposes Fastjson deserialization to untrusted input without proper validation or if safeMode is not enabled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| luelueking | Link | CVE-2022-25845(fastjson1.2.80) exploit in Spring Env! |
| hosch3n | Link | [fastjson 1.2.80] CVE-2022-25845 aspectj fileread & groovy remote classload |
| ph0ebus | Link | exploit by python |
What are the Available Fixes for CVE-2022-25845?
Available Upgrade Options
- com.alibaba:fastjson
- >1.2.25, <1.2.83 → Upgrade to 1.2.83
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-25845
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- https://github.com/alibaba/fastjson/wiki/security_update_20220523
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.ddosi.org/fastjson-poc
- https://github.com/alibaba/fastjson/releases/tag/1.2.83
- https://github.com/alibaba/fastjson
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
What are Similar Vulnerabilities to CVE-2022-25845?
Similar Vulnerabilities: CVE-2020-2555 , CVE-2017-3506 , CVE-2019-2725 , CVE-2021-21346 , CVE-2015-4852
