Researchers at JFrog have disclosed details of a now patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to perform RCE.
Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object.
Tracked as CVE-2022-25845 with CVSS score of 8.1 resides in a feature called AutoType related to the deserialization of untrusted data. The AutoType function allows specifying a custom type when parsing a JSON input that can then be deserialized into an object of a specific class.
The impact is exponential, since its used in more than 5000 projects, it affects all Java application that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.
The vulnerability was addressed with the release of version 1.2.83 on May 23, 2022.
Initially, the issue was addressed by development team by introducing a safeMode that disables AutoType and implementing a blocklist of classes to defend against deserialization issues.
Experts discovered how to bypass these restrictions to achieve remote code execution forcing the development team to introduce new fixes.