{"id":"CVE-2022-25845","details":"The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).","aliases":["GHSA-pv7h-hx5h-mgfj"],"modified":"2026-04-11T22:01:34.081580Z","published":"2022-06-10T20:15:08.117Z","related":["SNYK-JAVA-COMALIBABA-2859222"],"references":[{"type":"ADVISORY","url":"https://github.com/alibaba/fastjson/releases/tag/1.2.83"},{"type":"ADVISORY","url":"https://github.com/alibaba/fastjson/wiki/security_update_20220523"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"},{"type":"FIX","url":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"},{"type":"EVIDENCE","url":"https://www.ddosi.org/fastjson-poc/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alibaba/fastjson","events":[{"introduced":"0"},{"fixed":"26f13f84fdd522de10678e43f55fde918ab7b347"},{"fixed":"35db4adad70c32089542f23c272def1ad920a60d"},{"fixed":"8f3410f81cbd437f7c459f8868445d50ad301f15"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.83"}]}}],"versions":["1.1.20","1.1.21","1.1.22","1.1.23","1.1.25","1.1.26","1.1.27","1.1.31","1.1.32","1.1.33","1.1.35","1.1.36","1.1.37","1.1.42","1.2.0","1.2.1","1.2.10","1.2.11_release","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.21","1.2.22","1.2.23","1.2.24","1.2.25","1.2.26","1.2.27","1.2.28","1.2.29","1.2.30","1.2.31","1.2.32","1.2.33","1.2.34","1.2.35","1.2.36","1.2.37","1.2.38","1.2.39","1.2.4","1.2.40","1.2.41","1.2.42","1.2.43","1.2.44","1.2.45","1.2.46","1.2.47","1.2.48","1.2.49","1.2.50","1.2.51","1.2.52","1.2.54","1.2.55","1.2.56","1.2.57","1.2.58","1.2.59","1.2.6","1.2.60","1.2.61","1.2.62","1.2.63","1.2.66","1.2.67","1.2.68","1.2.69","1.2.7","1.2.70","1.2.71","1.2.72","1.2.73","1.2.74","1.2.75","1.2.76","1.2.78","1.2.79","1.2.8","1.2.80","1.2.9"],"database_specific":{"vanir_signatures_modified":"2026-04-11T22:01:34Z","vanir_signatures":[{"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-25845-1b85b0de","digest":{"threshold":0.9,"line_hashes":["61024697520050202701621572067117824757","299278800782337073088942980025648933138"]},"source":"https://github.com/alibaba/fastjson/commit/26f13f84fdd522de10678e43f55fde918ab7b347","target":{"file":"src/main/java/com/alibaba/fastjson/JSON.java"}},{"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-25845-2ececd91","digest":{"length":496,"function_hash":"263709127359607957505066787466238883719"},"source":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15","target":{"function":"test_point","file":"src/test/java/com/alibaba/json/bvt/PointTest2.java"}},{"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-25845-3170e760","digest":{"threshold":0.9,"line_hashes":["42019374667715151548414386455597848271","261647332084669642067673889074193407907","140652181733654025014420524657994915642","281677047825629461810306487545906737319","42344365482721568115775040764119899550","254488526636465409923827814493820827872","49913526691816752756705378546368183645","132183748340968926055092878820199561410","156858443304170883432898439978142462304","88061640506583648181423432113786249999","312233732510431193073146015508573863848","135489702588547835646695090408342491553","128148263078011778332722549528505039295","194755019387191719519394707370691003228","37789225863914031121875611446504120094","53144270407581646639484539682170737568","238299898149172482960273210745948667370","61720797564892288091435181523276315527","220146179592950675355142283854598856213","86449347169640609840825447401542692571","161512536767571553818986129398903362583","185191352221934877561875350592375496405","246125325798476598517410149646837409229","239250099492412344066030563567670406529","274534710593711184383895400790624615892","247086880050703216695258984153205170608","291434916556184221354847747186853857873","114724774186460852979732007555435287230","110912965948561628047095055388931416228","86728366194803233130514475274098431063","92132590868500742699976083404475379917","110253794791082447594130223549992602360","150311191359098418195106862007470667357","68127192807873558300546325950907091928","257174281971252908410083431901768124606","156661812714532894813963664888815193134","22555810421602849679738864098775285326","28294348546258085355871189317662304685","198442294796523179829112633889137251492","239552984243007006362474039758678824054","137838775446629889243361775167923328005","164535402268719813254638406688155991116","24535438523346546395283953533138832349","305505177723542457417771748079052646423","22594433761210503568401996059479269374","147519113533513755760476834195306337670","109438782601948442361221323390461224721","108370928176284982373927645155840684438","172610104072177208318374416424507283744","173982959830285498680711886129017996223","257905104262350477702357137341305454418","314369326295053333171928106470504602310","14535924420209791383866767963920337849","81452139915633522815676464911882533244","140586724875599386380932660728555728047","325377413254581394098306480201053172646","17270619930087626191052675823308302589","125648168627692082683766204151380102727","179227163271768488295561188507685525347","164437503825906020546370955693321941374","115702398258520763902560805589070144931","26378778051551351512028745259876588752","153398886045706505036261299964847292672","298649941837505280518897706664212961315","282733859300870437927482783796393401331","145371376845343627788362004901246686103","135717222437622676537684030412648010311","301221374054761452611723826904016319759","9999553244590762179180539078362410675","137531530795646165778657260825453629174","173230956339928869567501147124263420942","203322116337848706140214141757205144408","170672131831968689939747766393964734741","66781267003266104305615643665111944685","191962870328976087574734121280085330359","11767683388579311843561642416002044371","11530123334182055188826253827836930710","179197548024987212124385182998738869663"]},"source":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d","target":{"file":"src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"}},{"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-25845-4fa7a2f7","digest":{"threshold":0.9,"line_hashes":["327656689625169491807666196008214900878","264184945322064187024201558092645048986","59217624312272304474253748749603366137","289059678654717703797742436058568310759","98780712871516867734269464847596618482","308930319451266143944166162017117647243","22030314772773981362218784200177426196","217152839289230024632560064188348811825"]},"source":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d","target":{"file":"src/test/java/com/alibaba/json/bvt/bug/Bug_for_Exception.java"}},{"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-25845-636e551a","digest":{"length":5379,"function_hash":"117009548729306227632091226377174928215"},"source":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d","target":{"function":"checkAutoType","file":"src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"}},{"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-25845-7c98c97b","digest":{"threshold":0.9,"line_hashes":["307354704135657781910514977929763440486","51975395138924324950625600576954410951","271777464816131209055282230261021351129","163560256713937870037448241114952760138","321890371100865715481734615895251214529","32002887047850819828764123837068232168"]},"source":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15","target":{"file":"src/test/java/com/alibaba/json/bvt/PointTest2.java"}},{"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-25845-7db3b5da","digest":{"length":5535,"function_hash":"240822137874923677560138862440143889681"},"source":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15","target":{"function":"checkAutoType","file":"src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"}},{"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-25845-f23c538b","digest":{"length":192,"function_hash":"119569938027679302348743738115144129512"},"source":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d","target":{"function":"test_exception","file":"src/test/java/com/alibaba/json/bvt/bug/Bug_for_Exception.java"}},{"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-25845-fa68e58e","digest":{"threshold":0.9,"line_hashes":["279778734672497193238483392055050191899","176996511607279796619779118929455736992","143375764946863244132789812537296429079","332283741993974309432023062522397235322","1404219238504265575386775521685336323","64147909650118884293301958160046511604","156443741528784070429587348614862912731","321573775157954884819616024811654744886","41687807269167290856048230454736580141","77443944254304244915609977293331977204","227646832213235208728887825164132491204","165451544584175473920852518315985419185","327879516107553956642337042507272937731","220878704264074449644632311576743539151","312976143975444827748660192399712212438","236927902947375671068455518211940942666","112308287001451165323250418869879215906","331012731926207686766361032026253096147","73354394869000373839609402166001131848","286947571974587761575420566316202379014","152842980476881067451835580118000805973","170237711873916851670225641610397462966","65551011051473516133109082560697503896","73464906247820271211093256947176607081","280965213196034190130078707779433260962","92605237934033397134200758538890074761","220425484089669960502368504554362835679","304019371657165107089907396817985021089","234680468285525480204738907549358021141","52346519340277732542771106080314324189","142858511027173382931353958931998785530","222240702314856684584219720350090802031","265186336501875720966579346187810217248","173359784663932906160157765280712106995","148872278025719481490964011182173609119","19946848050185292064876599352389135162","194156155515328128583105645637314645407","145646132064196529228513351444645336127","131152046750100782268555277243681664625","242463975394187713292691724850120889342","99905842070842878903728635460215013688","69005983699555322753933887942173575720","9035500376936235785451031699049233672","122839025243910746787723705216666029906","118330719011923063554625987125305929075","177672784376523105262724245088568012620","298828003270393252915010139867227603988","125120550463407977210735998126039288085","162701364327801195020672386984553604648","282380388052364403300794304914388949841","309132222340588787562983575071215696111","214147216529982431086427284925079100458","149157435788352619095008052707972142627","310079603925985928468146089564539447919","243573475032255967069499032852518502598","3039438494080165595874839029140119533","306063246689894686999641193916026272350","141446578878382471240051565574549004807","286671283454071798650410425990679849177","181937363773014718217553898456743032082","157940904984305019032103378772267962942","241794423187945957489195827829773341998","268328261443537268198378046091705124299","94794701757231058527710953124968410978","93398550580503117074915489480846677686","283178181648741273939866158339939319552","147982901454634131718271709916537721323","312977854351668003564573754833750055709","265145092637532095648636787669986619803","85280621004706290324405216247637014592","124197036501863160527560809627259823368","210310514629756595359360194006135523158","171014986829790189095151128345866541371","98777810048825312084614038983151745717","124544531205872865643681948191257861105","158624453673659348759181836749396635278","260169949095035694960328826249232612157","232490144393356466451285072973563870320","104056200255315715737901000971760818712","166418760901673773945905376808308904446","149871535428361881712101982840060542453","147990193887219824656987359976368359750","292762491769687484329536798530071511262","163153551127802833579610823192734646915","293197090398358854591966836468084550427","106483988475126787649711940140062140693","94016447520151250836624740158647988296","8469258116847821092884612156130069456","15555259411232089508961488092201276579","223085391844703455412380259751316743923"]},"source":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15","target":{"file":"src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25845.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"22.2.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}