CVE-2025-70974
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk48th percentile - higher than 48% of all known CVEs
Summary
Vulnerability in Fastjson before version 1.2.48 allows an attacker to inject JNDI code via a specially crafted JSON document with an @type key. The attack involves calling public methods of the specified Java class, which can lead to remote code execution. This flaw was actively exploited between 2023 and 2025.
Risk Assessment
The organization is at risk of remote server takeover via JNDI injection, potentially leading to data theft, backdoor installation, or complete system compromise.
Recommendation
Immediately update Fastjson to version 1.2.48 or later. If updating is not possible, disable the autoType feature or apply appropriate security filters.
Original NVD description (English source)
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

