What is CVE-2022-25845?

CVE-2022-25845 is a high-severity vulnerability in Com.alibaba:fastjson. CVSS score: 8.1/10. Published 2022-06-10.

How severe is CVE-2022-25845?

High severity. CVSS v3 base score is 8.1 out of 10.

Is CVE-2022-25845 known to be exploited?

42 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Com.alibaba:fastjson

CVE-2022-25845

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows at…

EPSS: 0.889 (99.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P.

Affected products

N/a Com.alibaba:fastjson — versions unspecified

Public proof-of-concept exploits

References

snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222 (x_refsource_MISC)
www.ddosi.org/fastjson-poc/ (x_refsource_MISC)
github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15 (x_refsource_MISC)
github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d (x_refsource_MISC)
github.com/alibaba/fastjson/wiki/security_update_20220523 (x_refsource_MISC)
github.com/alibaba/fastjson/releases/tag/1.2.83 (x_refsource_MISC)
www.oracle.com/security-alerts/cpujul2022.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-25845?: CVE-2022-25845 is a high-severity vulnerability in Com.alibaba:fastjson. CVSS score: 8.1/10. Published 2022-06-10.
How severe is CVE-2022-25845?: High severity. CVSS v3 base score is 8.1 out of 10.
Is CVE-2022-25845 known to be exploited?: 42 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.