CVE-2022-25845 Overview
CVE-2022-25845 is an Insecure Deserialization vulnerability affecting Alibaba's Fastjson Java library versions before 1.2.83. The vulnerability allows attackers to bypass the default autoType shutdown restrictions under certain conditions, enabling the deserialization of untrusted data. This flaw can be exploited to execute arbitrary code on remote servers, making it particularly dangerous for applications that process JSON data from untrusted sources.
Fastjson is a widely-used high-performance JSON parser and generator for Java, commonly deployed in enterprise applications, microservices architectures, and cloud-native environments. The vulnerability stems from insufficient restrictions on the autoType feature, which allows automatic type resolution during JSON deserialization.
Critical Impact
Successful exploitation allows remote attackers to execute arbitrary code on vulnerable servers by sending specially crafted JSON payloads, potentially leading to complete system compromise.
Affected Products
- Alibaba Fastjson versions prior to 1.2.83
- Oracle Communications Cloud Native Core Unified Data Repository version 22.2.0
Discovery Timeline
- June 10, 2022 - CVE-2022-25845 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-25845
Vulnerability Analysis
The vulnerability resides in Fastjson's autoType functionality, which was designed to automatically deserialize JSON strings into their corresponding Java objects based on type information embedded in the JSON payload. While Alibaba implemented default autoType shutdown restrictions to prevent deserialization attacks, security researchers discovered bypass techniques that allow attackers to circumvent these protections under specific conditions.
When autoType is enabled or when the restrictions can be bypassed, an attacker can craft malicious JSON payloads containing references to dangerous Java classes. During deserialization, Fastjson instantiates these classes and invokes their methods, potentially leading to remote code execution. This attack pattern is similar to other well-known Java deserialization vulnerabilities but specifically exploits Fastjson's type handling mechanisms.
The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which represents a significant security risk in applications that process external input through deserialization routines.
Root Cause
The root cause of CVE-2022-25845 lies in incomplete input validation within Fastjson's autoType feature. Despite implementing a blocklist-based approach to prevent deserialization of known dangerous classes, the library failed to account for all possible bypass techniques. Attackers discovered methods to reference gadget classes that were not included in the blocklist or to use class loading techniques that circumvented the restrictions entirely.
The fundamental design flaw is the reliance on blocklisting rather than a more secure allowlist approach, combined with insufficient sanitization of type information in JSON payloads before object instantiation occurs.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by sending a malicious JSON payload to any application endpoint that uses a vulnerable version of Fastjson for JSON parsing. The attack is particularly effective against:
- REST API endpoints accepting JSON input
- Microservices communicating via JSON messages
- Web applications processing user-supplied JSON data
- Message queue consumers parsing JSON payloads
The exploitation mechanism involves crafting JSON with embedded @type fields that reference Java classes capable of executing arbitrary commands when instantiated or when specific methods are called during the deserialization process.
Detailed technical information about exploitation techniques is available through the Snyk vulnerability database and the Alibaba security advisory.
Detection Methods for CVE-2022-25845
Indicators of Compromise
- Unusual JSON payloads containing @type fields with references to uncommon Java classes
- Incoming HTTP requests with JSON bodies containing serialized object references to classes like javax.naming.InitialContext, com.sun.rowset.JdbcRowSetImpl, or other known gadget classes
- Unexpected outbound network connections from application servers following JSON processing
- Anomalous Java process spawning or command execution on servers running Fastjson-dependent applications
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block JSON payloads containing suspicious @type patterns commonly used in deserialization attacks
- Deploy application-level logging to capture and alert on deserialization attempts involving non-allowlisted classes
- Utilize Software Composition Analysis (SCA) tools to identify applications using vulnerable Fastjson versions
- Monitor application logs for com.alibaba.fastjson exceptions that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for Fastjson parsing operations in development and staging environments to understand normal patterns
- Configure SIEM alerts for patterns matching known Fastjson exploitation payloads
- Implement network traffic analysis to detect potential data exfiltration or command-and-control communications following exploitation
- Regularly scan container images and application dependencies for vulnerable Fastjson versions
How to Mitigate CVE-2022-25845
Immediate Actions Required
- Upgrade Alibaba Fastjson to version 1.2.83 or later immediately across all affected applications
- If immediate upgrade is not possible, enable Fastjson's safeMode feature to completely disable autoType functionality
- Conduct an inventory of all applications and services using Fastjson to ensure comprehensive remediation
- Review application architecture to identify all entry points where JSON data is processed
Patch Information
Alibaba has released version 1.2.83 of Fastjson which addresses this vulnerability. The fix includes enhanced restrictions on the autoType feature and additional class validation during deserialization.
Security patches are available through the following resources:
- Fastjson Release 1.2.83
- GitHub Commit 35db4adad70c32089542f23c272def1ad920a60d
- GitHub Commit 8f3410f81cbd437f7c459f8868445d50ad301f15
For Oracle products, refer to the Oracle Critical Patch Update Advisory - July 2022.
Workarounds
- Enable safeMode by setting the system property fastjson.parser.safeMode=true to completely disable autoType
- Implement strict input validation on all JSON endpoints to reject payloads containing @type fields
- Consider migrating to alternative JSON libraries such as Jackson or Gson that have more secure default configurations
- Deploy network-level controls to filter malicious JSON patterns before they reach vulnerable applications
# Enable safeMode via JVM system property
java -Dfastjson.parser.safeMode=true -jar your-application.jar
# Alternatively, enable safeMode programmatically in your application
# ParserConfig.getGlobalInstance().setSafeMode(true);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
