{"api_version":"1","generated_at":"2026-06-27T11:37:32+00:00","cve":"CVE-2025-70974","urls":{"html":"https://cve.report/CVE-2025-70974","api":"https://cve.report/api/cve/CVE-2025-70974.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-70974","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-70974"},"summary":{"title":"CVE-2025-70974","description":"Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.","state":"PUBLISHED","assigner":"mitre","published_at":"2026-01-09 07:16:02","updated_at":"2026-06-27 05:16:41"},"problem_types":["CWE-829","CWE-829 CWE-829 Inclusion of Functionality from Untrusted Control Sphere","CWE-829 Inclusion of Functionality from Untrusted Control Sphere"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"10","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"cve@mitre.org","type":"Secondary","score":"10","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"10","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"10","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce","name":"https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48","name":"https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.freebuf.com/vuls/208339.html","name":"https://www.freebuf.com/vuls/208339.html","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger","name":"https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.seebug.org/vuldb/ssvid-98020","name":"https://www.seebug.org/vuldb/ssvid-98020","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-70974.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-70974.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2428203","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2428203","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955","name":"https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2025-70974","name":"https://access.redhat.com/security/cve/CVE-2025-70974","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238","name":"https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238","refsource":"cve@mitre.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-70974","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-70974","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Alibaba","product":"Fastjson","version":"affected 1.2.48 custom","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"OpenShift Service Mesh 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Apache Camel for Spring Boot 4","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Debezium 2","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat build of Debezium 3","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Fuse 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-01-09T07:02:15.514Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-01-09T06:43:23.584Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-70974","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-01-09T21:37:04.264336Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-01-09T21:37:10.756Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/a:redhat:service_mesh:2"],"defaultStatus":"unaffected","product":"OpenShift Service Mesh 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"unaffected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:2"],"defaultStatus":"unaffected","product":"Red Hat build of Debezium 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"unaffected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"unaffected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"datePublic":"2026-01-09T06:43:23.584Z","descriptions":[{"lang":"en","value":"A flaw was found in Fastjson, a popular Java library for converting Java objects to JSON and vice versa. This vulnerability allows a remote attacker to execute arbitrary code on a system by sending a specially crafted JSON document. The issue stems from Fastjson's \"autoType\" feature, which, when mishandled, can lead to Java Naming and Directory Interface (JNDI) injection. This allows an attacker to inject and execute malicious code, posing a critical risk to affected systems. This flaw has been actively exploited in real-world attacks."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Critical"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-829","description":"Inclusion of Functionality from Untrusted Control Sphere","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-27T04:05:15.786Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-70974"},{"name":"RHBZ#2428203","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2428203"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-70974.json"}],"timeline":[{"lang":"en","time":"2026-01-09T07:02:15.514Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-01-09T06:43:23.584Z","value":"Made public."}],"title":"fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Fastjson","vendor":"Alibaba","versions":[{"lessThan":"1.2.48","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-829","description":"CWE-829 Inclusion of Functionality from Untrusted Control Sphere","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-01-09T06:57:21.981Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48"},{"url":"https://www.seebug.org/vuldb/ssvid-98020"},{"url":"https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238"},{"url":"https://www.freebuf.com/vuls/208339.html"},{"url":"https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce"},{"url":"https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger"},{"url":"https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955"}],"x_generator":{"engine":"CVE-Request-form 0.0.1"},"x_year":"2018"}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2025-70974","datePublished":"2026-01-09T06:43:23.584Z","dateReserved":"2026-01-09T06:43:23.338Z","dateUpdated":"2026-06-27T04:05:15.786Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-09 07:16:02","lastModifiedDate":"2026-06-27 05:16:41","problem_types":["CWE-829","CWE-829 CWE-829 Inclusion of Functionality from Untrusted Control Sphere","CWE-829 Inclusion of Functionality from Untrusted Control Sphere"],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-09T21:37:04.264336Z","id":"CVE-2025-70974","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"70974","Ordinal":"1","Title":"CVE-2025-70974","CVE":"CVE-2025-70974","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"70974","Ordinal":"1","NoteData":"Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.","Type":"Description","Title":"CVE-2025-70974"}]}}}