{"api_version":"1","generated_at":"2026-04-22T19:27:21+00:00","cve":"CVE-2022-25845","urls":{"html":"https://cve.report/CVE-2022-25845","api":"https://cve.report/api/cve/CVE-2022-25845.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-25845","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-25845"},"summary":{"title":"CVE-2022-25845","description":"The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).","state":"PUBLIC","assigner":"report@snyk.io","published_at":"2022-06-10 20:15:00","updated_at":"2023-02-23 17:51:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15","name":"N/A","refsource":"CONFIRM","tags":[],"title":"bug fix for autotype · alibaba/fastjson@8f3410f · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.ddosi.org/fastjson-poc/","name":"N/A","refsource":"CONFIRM","tags":[],"title":"fastjson 1.2.80版本反序列化漏洞poc - ????雨苁ℒ????","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/alibaba/fastjson/releases/tag/1.2.83","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Release FASTJSON 1.2.83版本发布（安全修复） · alibaba/fastjson · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Deserialization of Untrusted Data in com.alibaba:fastjson | CVE-2022-25845 | Snyk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/alibaba/fastjson/wiki/security_update_20220523","name":"N/A","refsource":"CONFIRM","tags":[],"title":"security_update_20220523 · alibaba/fastjson Wiki · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d","name":"N/A","refsource":"CONFIRM","tags":[],"title":"bug fix for autoType · alibaba/fastjson@35db4ad · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-25845","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25845","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Unknown","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"25845","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"alibaba","cpe5":"fastjson","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"25845","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_cloud_native_core_unified_data_repository","cpe6":"22.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"report@snyk.io","DATE_PUBLIC":"2022-06-10T20:00:19.390362Z","ID":"CVE-2022-25845","STATE":"PUBLIC","TITLE":"Deserialization of Untrusted Data"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"com.alibaba:fastjson","version":{"version_data":[{"version_affected":"<","version_value":"1.2.83"}]}}]},"vendor_name":"n/a"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Deserialization of Untrusted Data"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222","name":"https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222"},{"refsource":"MISC","url":"https://www.ddosi.org/fastjson-poc/","name":"https://www.ddosi.org/fastjson-poc/"},{"refsource":"MISC","url":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15","name":"https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15"},{"refsource":"MISC","url":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d","name":"https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d"},{"refsource":"MISC","url":"https://github.com/alibaba/fastjson/wiki/security_update_20220523","name":"https://github.com/alibaba/fastjson/wiki/security_update_20220523"},{"refsource":"MISC","url":"https://github.com/alibaba/fastjson/releases/tag/1.2.83","name":"https://github.com/alibaba/fastjson/releases/tag/1.2.83"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"description":{"description_data":[{"lang":"eng","value":"The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode)."}]},"impact":{"cvss":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},"credit":[{"lang":"eng","value":"Unknown"}]},"nvd":{"publishedDate":"2022-06-10 20:15:00","lastModifiedDate":"2023-02-23 17:51:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.83","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}