CVE-2025-70974 Alibaba CVE debrief

Who should care

Organizations using Fastjson versions prior to 1.2.48 should be concerned about this vulnerability. This includes developers and security teams responsible for maintaining applications that utilize Fastjson for JSON processing. Given the critical severity and history of exploitation, immediate attention is necessary to upgrade to a safe version and assess potential exposure.

Technical summary

The vulnerability in Fastjson arises from the autoType feature, which can lead to JNDI injection when an @type key is present in a JSON document with a value that is the name of a Java class. This can result in calls to public methods of that class, depending on their behavior. The vulnerability has a CVSS score of 10 and is considered critical. It was exploited in the wild from 2023 to 2025, indicating active threats. The issue is related to an incomplete fix for CVE-2017-18349 and has a bypass covered under CVE-2022-25845.

Defensive priority

High. Immediate action is required to mitigate this vulnerability due to its critical severity and history of exploitation.

Recommended defensive actions

• Upgrade Fastjson to version 1.2.48 or later.
• Review and restrict usage of the autoType feature.
• Implement additional security measures such as input validation and sanitization.
• Monitor for suspicious activity related to JNDI injection attempts.
• Assess and apply compensating controls if immediate upgrade is not feasible.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. Multiple source references, including security blogs and vulnerability databases, corroborate the details of the vulnerability and its exploitation. However, specific details about the exploits used in the wild are limited, suggesting a need for further investigation and monitoring.

Official resources