{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-70974", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-09T06:43:23.338Z", "datePublished": "2026-01-09T06:43:23.584Z", "dateUpdated": "2026-01-09T21:37:10.756Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Fastjson", "vendor": "Alibaba", "versions": [{"lessThan": "1.2.48", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-09T06:57:21.981Z"}, "references": [{"url": "https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48"}, {"url": "https://www.seebug.org/vuldb/ssvid-98020"}, {"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238"}, {"url": "https://www.freebuf.com/vuls/208339.html"}, {"url": "https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce"}, {"url": "https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger"}, {"url": "https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "x_year": "2018"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T21:37:04.264336Z", "id": "CVE-2025-70974", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T21:37:10.756Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-70974", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-09T21:37:04.264336Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:08:04.762Z"}}], "cna": {"x_year": "2018", "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Alibaba", "product": "Fastjson", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.48", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48"}, {"url": "https://www.seebug.org/vuldb/ssvid-98020"}, {"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238"}, {"url": "https://www.freebuf.com/vuls/208339.html"}, {"url": "https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce"}, {"url": "https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger"}, {"url": "https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-09T06:57:21.981Z"}}}, "cveMetadata": {"cveId": "CVE-2025-70974", "state": "PUBLISHED", "dateUpdated": "2026-01-09T21:37:10.756Z", "dateReserved": "2026-01-09T06:43:23.338Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-09T06:43:23.584Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845."}, {"lang": "es", "value": "Fastjson anterior a 1.2.48 maneja incorrectamente autoType porque, cuando una clave @type est\u00e1 en un documento JSON y el valor de esa clave es el nombre de una clase Java, puede haber llamadas a ciertos m\u00e9todos p\u00fablicos de esa clase. Dependiendo del comportamiento de esos m\u00e9todos, puede haber inyecci\u00f3n JNDI con una carga \u00fatil proporcionada por el atacante ubicada en otra parte de ese documento JSON. Esto fue explotado en la naturaleza entre 2023 y 2025. NOTA: este problema existe debido a una correcci\u00f3n incompleta para CVE-2017-18349. Adem\u00e1s, una omisi\u00f3n posterior est\u00e1 cubierta por CVE-2022-25845."}], "id": "CVE-2025-70974", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-01-09T07:16:02.677", "references": [{"source": "cve@mitre.org", "url": "https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955"}, {"source": "cve@mitre.org", "url": "https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48"}, {"source": "cve@mitre.org", "url": "https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce"}, {"source": "cve@mitre.org", "url": "https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger"}, {"source": "cve@mitre.org", "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238"}, {"source": "cve@mitre.org", "url": "https://www.freebuf.com/vuls/208339.html"}, {"source": "cve@mitre.org", "url": "https://www.seebug.org/vuldb/ssvid-98020"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "fastjson: From CVEorg collector", "id": "2428203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428203"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-829", "details": ["No description is available for this CVE."], "name": "CVE-2025-70974", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/grafana-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-must-gather-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-operator-bundle", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/ratelimit-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "fastjson", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-09T06:43:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-70974\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-70974\nhttps://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955\nhttps://github.com/alibaba/fastjson/compare/1.2.47...1.2.48\nhttps://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce\nhttps://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger\nhttps://www.cnvd.org.cn/flaw/show/CNVD-2019-22238\nhttps://www.freebuf.com/vuls/208339.html\nhttps://www.seebug.org/vuldb/ssvid-98020"], "threat_severity": "Critical"}

{"created": "2026-01-09T13:23:42.249331+00:00", "updated": "2026-01-09T13:23:42.249358+00:00", "vendors": ["alibaba", "alibaba$PRODUCT$fastjson"]}