Alibaba Fastjson Deserialization Bypass of autoType Limitation and Mitigation

Critical Vulnerability Information 1. Risk Description Fastjson has adopted a whitelist/blacklist mechanism to defend against deserialization vulnerabilities. However, research has shown that under specific conditions, this exploitation can bypass the default autoType disable restriction, enabling attacks on remote servers. The risk impact is significant. It is strongly recommended that Fastjson users take immediate security measures to protect their systems. 2. Affected Versions Affects versions ≤1.2.80, under specific dependency conditions. 3. Upgrade Solutions 3.1 Upgrade to the Latest Version 1.2.83 This version includes changes to autoType behavior, which may cause incompatibility in certain scenarios. If issues arise, refer to Issues for assistance. Alternatively, join the DingTalk group 44597749 for support. 3.2 Enable safeMode for Enhanced Security Starting from version 1.2.68, Fastjson introduced safeMode. When enabled, autoType is disabled regardless of whitelist/blacklist configurations, effectively preventing deserialization gadget variant attacks. 3.2.1 How to Enable Refer to fastjson_safemode 3.2.2 Is safeMode Required After Upgrading to 1.2.83? Version 1.2.83 fixes the vulnerability discovered in this report. Enabling safeMode completely disables autoType functionality, preventing similar issues from reoccurring. However, this may introduce compatibility issues. Please thoroughly evaluate the impact on your business before enabling. 3.2.3 Does Enabling safeMode Require an Upgrade? Enabling safeMode makes systems immune to this vulnerability, so upgrading is not mandatory. 3.3 Upgrade to Fastjson v2 Fastjson v2 release page: fastjson2/releases Fastjson has open-sourced version 2.0, which no longer provides a whitelist for backward compatibility, enhancing security. Fastjson v2 has been rewritten, offering significant performance improvements. However, it is not fully compatible with 1.x versions. A thorough compatibility test is required before upgrading. For upgrade-related issues, refer to Issues. 3.4 noneautotype Versions After May 26, to support legacy users with security hardening needs, noneautotype versions were released. These versions fully disable autoType, providing the same protection as safeMode in 1.2.68. Users of noneautotype versions are unaffected by this vulnerability. 1.2.8_noneautotype 1.2.48_noneautotype 1.2.50_noneautotype 1.2.54_noneautotype 1.2.60_noneautotype 1.2.71_noneautotype If you need additional noneautotype versions, please request them via Issues.

Goal Reached Thanks to every supporter — we hit 100%!

Alibaba Fastjson Deserialization Bypass of autoType Limitation and Mitigation

More from this source