CVE-2022-25845 — AI Deep Analysis Summary

🚨 **Essence**: Fastjson < 1.2.83 allows bypassing `autoType` restrictions. 📉 **Consequences**: Attackers can deserialize untrusted data, leading to Remote Code Execution (RCE) on the server. 💥 Impact: High (CVSS 9.8).

🛠️ **Root Cause**: Flaw in the JSON parser's handling of `@type` fields. 🧠 **Flaw**: The default `autoType` (auto-type) security check is easily bypassed using specific class references (e.g., AspectJ, Groovy, Jackson).…

📦 **Component**: `com.alibaba:fastjson`. 📅 **Affected Versions**: All versions **before 1.2.83**. ✅ **Fixed Version**: 1.2.83. 🏢 **Vendor**: Alibaba (Fastjson).

💻 **Privileges**: Full Remote Code Execution (RCE). 📂 **Data**: Can read files (e.g., via AspectJ `fileread`) or execute arbitrary commands. 🌐 **Scope**: Attacks the remote server directly.…

🔓 **Auth**: None required (PR:N). 🌐 **Network**: Network accessible (AV:N). 🎯 **Complexity**: High (AC:H) due to specific bypass techniques needed. 🖱️ **UI**: None required (UI:N).…

🔥 **Yes, Public Exploits Exist**. 📂 **PoCs**: Multiple GitHub repos (e.g., `hosch3n/FastjsonVulns`, `nerowander/CVE-2022-25845-exploit`). 📝 **Details**: Includes file read and RCE payloads using Groovy/AspectJ/Jackson.…

🔍 **Check**: Scan for `com.alibaba:fastjson` dependency. 📊 **SCA**: Use Software Composition Analysis tools. ⚠️ **Note**: Some SCA tools may yield False Negatives if relying solely on call graphs.…

🛡️ **Yes, Officially Fixed**. 📌 **Patch**: Upgrade to **Fastjson 1.2.83** or later. 🔗 **Commit**: See Alibaba Fastjson GitHub commits (e.g., `8f3410f`, `35db4ad`).…

🚧 **Workaround**: If upgrade is impossible, disable `autoType` strictly. 🚫 **Mitigation**: Remove dangerous classes (AspectJ, Groovy, Jackson) from classpath if possible.…

🔴 **Priority: CRITICAL**. 🚀 **Urgency**: Immediate action required. 📉 **CVSS**: 9.8 (Critical). 📢 **Action**: Patch to v1.2.83+ ASAP. 🚨 **Reason**: RCE with no auth, public exploits available.