Cybersecurity researchers have recently patched a high-severity flaw in the Fastjson library that could be potentially exploited.
Cybersecurity researchers have recently patched a high-severity flaw in the Fastjson library that could be potentially exploited.
Fastjson is a Java library that is used to convert Java Objects into their JSON representation and vice versa
The vulnerability tracked as CVE-2022-25845, with a CVSS score of 8.1, was discovered. The issue relates to a case of deserialisation of untrusted data in a supported feature called `AutoType.’ The project maintainers patched it up in version 1.2.83, released on May 23, 2022.
“This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and pass-user controlled data to either the JSON.parse or JASON.parseObject API without specifying a specific class to deserialise, ” said JFrog’s Uriya Yavnieli in a write-up.
“However, if the deserialised JSON is user-controlled, passing it with AutoType enabled can lead to deserialisation security issue, since the attacker can instantiate any class that is available on the Classpath and feed its constructor with arbitrary arguments,’ explained Yavnieli.
Even though the project holders had introduced a safe mode that disables AutoType and began maintaining a block list of classes to uphold against the deserialisation flaws, recently uncovered flaws get around the latter of these restrictions to result in remote code execution.
Users of Fastjson are advised to update to version 1.2 .83 or enable safe mode, which turns off the function regardless of the allowlist and blocklist used, effectively shutting variants of the deserialisation attack.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?