{"id":"GHSA-pv7h-hx5h-mgfj","summary":"Unsafe deserialization in com.alibaba:fastjson","details":"The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).","aliases":["CVE-2022-25845"],"modified":"2026-03-13T21:57:10.435418Z","published":"2022-06-11T00:00:17Z","database_specific":{"github_reviewed_at":"2022-06-17T00:58:22Z","severity":"HIGH","nvd_published_at":"2022-06-10T20:15:00Z","cwe_ids":["CWE-502"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25845"},{"type":"WEB","url":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"},{"type":"WEB","url":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"},{"type":"PACKAGE","url":"https://github.com/alibaba/fastjson"},{"type":"WEB","url":"https://github.com/alibaba/fastjson/releases/tag/1.2.83"},{"type":"WEB","url":"https://github.com/alibaba/fastjson/wiki/security_update_20220523"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"},{"type":"WEB","url":"https://www.ddosi.org/fastjson-poc"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"package":{"name":"com.alibaba:fastjson","ecosystem":"Maven","purl":"pkg:maven/com.alibaba/fastjson"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.2.25"},{"fixed":"1.2.83"}]}],"versions":["1.2.25","1.2.25.sec10","1.2.26","1.2.27","1.2.27.sec06","1.2.27.sec09","1.2.27.sec10","1.2.28","1.2.28.odps","1.2.29","1.2.29.sec04","1.2.29.sec06","1.2.29.sec09","1.2.29.sec10","1.2.30","1.2.31","1.2.31.sec10","1.2.31_noneautotype","1.2.32","1.2.33","1.2.34","1.2.35","1.2.36","1.2.37","1.2.38","1.2.39","1.2.40","1.2.41","1.2.42","1.2.43","1.2.44","1.2.45","1.2.46","1.2.47","1.2.48","1.2.48.sec06","1.2.48.sec09","1.2.48.sec09_noneautotype","1.2.48.sec10","1.2.48_noneautotype","1.2.49","1.2.50","1.2.50.sec10","1.2.50_noneautotype","1.2.51","1.2.51.sec06","1.2.51.sec10","1.2.52","1.2.52.sec06","1.2.52.sec09_noneautotype","1.2.52.sec10","1.2.53","1.2.54","1.2.54.sec06","1.2.54.sec10","1.2.54_noneautotype","1.2.55","1.2.55.sec10","1.2.56","1.2.56.sec06","1.2.57","1.2.57.sec06","1.2.57.sec10","1.2.57_noneautotype","1.2.58","1.2.58.sec06","1.2.58.sec09","1.2.58.sec10","1.2.59","1.2.60","1.2.60.sec09","1.2.60.sec09_noneautotype","1.2.60.sec10","1.2.60_noneautotype","1.2.61","1.2.61.sec10","1.2.62","1.2.62_noneautotype","1.2.63_noneautotype","1.2.66","1.2.67","1.2.67.sec10","1.2.67_noneautotype","1.2.67_noneautotype2","1.2.68","1.2.68.sec10","1.2.69","1.2.69_noneautotype","1.2.69_sec11","1.2.69_sec12","1.2.70","1.2.71","1.2.71_noneautotype","1.2.72","1.2.72_noneautotype","1.2.73","1.2.74","1.2.75","1.2.75_noneautotype","1.2.76","1.2.77","1.2.78","1.2.79","1.2.80"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-pv7h-hx5h-mgfj/GHSA-pv7h-hx5h-mgfj.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}