Miggo Logo
Miggo Vulnerability Database
CVE-2022-25845

CVE-2022-25845: Unsafe deserialization in com.alibaba:fastjson

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25845
GHSA ID
GHSA-pv7h-hx5h-mgfj
EPSS Score
0.99566%
CWE
CWE-502
Published
6/11/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.alibaba:fastjsonmaven>= 1.2.25, < 1.2.831.2.83

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the checkAutoType() function's handling of autoType validation. Key indicators from the commit diff show: 1) Expansion of denyHashCodes to block more dangerous classes 2) Added null return for Exception-derived classes when autoTypeSupport=false 3) Modified test case showing Exception deserialization behavior changed. The function's previous failure to properly validate() these edge cases allowed bypassing autoType restrictions through crafted payloads, particularly leveraging Exception inheritance chains which were not adequately restricted prior to 1.2.83.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *om.*li****:**stjson ***or* *.*.** is vuln*r**l* to **s*ri*liz*tion o* Untrust** **t* *y *yp*ssin* t** ****ult *utoTyp* s*ut*own r*stri*tions, w*i** is possi*l* un**r **rt*in *on*itions. *xploitin* t*is vuln*r**ility *llows *tt**kin* r*mo

Reasoning

T** vuln*r**ility st*ms *rom t** `****k*utoTyp*()` *un*tion's **n*lin* o* *utoTyp* v*li**tion. K*y in*i**tors *rom t** *ommit *i** s*ow: *) *xp*nsion o* `**ny**s**o**s` to *lo*k mor* **n**rous *l*ss*s *) ***** null r*turn *or `*x**ption`-**riv** *l*s