Malicious actors could abuse a high-severity flaw in the widely used Fastjson library to enable remote code execution, reports The Hacker News.
The already-patched vulnerability, tracked as CVE-2022-25845, affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize," wrote Uriya Yavnieli of JFrog.
While users have been urged to update Fastjson to version 1.2.83, they could also activate safeMode, which disables the vulnerable AutoType function regardless of the used allowlist and blocklist, preventing deserialization attacks, according to researchers.
"Although a public PoC exploit exists and the potential impact is very high (remote code execution) the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly target-specific research is required to find a suitable gadget class to exploit," added Yavnieli.