GHSA-jm7w-5684-pvh8

Source

https://github.com/advisories/GHSA-jm7w-5684-pvh8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-jm7w-5684-pvh8/GHSA-jm7w-5684-pvh8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-jm7w-5684-pvh8

Published

2026-01-09T09:31:19Z

Modified

2026-01-09T19:50:47.156622Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

FASTJSON Includes Functionality from Untrusted Control Sphere

Details

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

Database specific

{
    "github_reviewed_at": "2026-01-09T19:33:17Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-829"
    ],
    "nvd_published_at": "2026-01-09T07:16:02Z",
    "github_reviewed": true
}

References

Affected packages

Maven / com.alibaba:fastjson

Package

Name: com.alibaba:fastjson; View open source insights on deps.dev
Purl: pkg:maven/com.alibaba/fastjson

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.48

Affected versions

1.*

1.1.15

1.1.16

1.1.17

1.1.18

1.1.19

1.1.20

1.1.21

1.1.22

1.1.23

1.1.24

1.1.25

1.1.26

1.1.27

1.1.28

1.1.29

1.1.30

1.1.31

1.1.31.sec01

1.1.31.sec04

1.1.31.sec06

1.1.31.sec07

1.1.31.sec10

1.1.31_noneautotype

1.1.32

1.1.33

1.1.33.android

1.1.33.sec01

1.1.33.sec04

1.1.33.sec06

1.1.33.sec10

1.1.34

1.1.34.android

1.1.34.sec01

1.1.34.sec04

1.1.34.sec06

1.1.34.sec09

1.1.34.sec10

1.1.34_noneautotype

1.1.35

1.1.36

1.1.37

1.1.38

1.1.39

1.1.40

1.1.41

1.1.41.sec01

1.1.41.sec04

1.1.41.sec06

1.1.41.sec10

1.1.42

1.1.42.android

1.1.43

1.1.43.android

1.1.44

1.1.44.android

1.1.45

1.1.45.android

1.1.46

1.1.46.android

1.1.46.sec01

1.1.46.sec04

1.1.46.sec06

1.1.46.sec09

1.1.46.sec10

1.1.46_noneautotype

1.1.47.android

1.1.48.android

1.1.49.android

1.1.50.android

1.1.51.android

1.1.52.android

1.1.53.android

1.1.54.android

1.1.55.android

1.1.56.android

1.1.57.android

1.1.58.android

1.1.59.android

1.1.60.android

1.1.61.android

1.1.62.android

1.1.63.android

1.1.64.android

1.1.65.android

1.1.66.android

1.1.67.android

1.1.68.android

1.1.69.android

1.1.70.android

1.1.70.android_noneautotype

1.1.71.android

1.1.72.android

1.1.73.android

1.1.76.android

1.1.76.android_noneautotype

1.1.77.android_noneautotype

1.2.0

1.2.1

1.2.2

1.2.2.sec01

1.2.2.sec10

1.2.3

1.2.4

1.2.4.sec01

1.2.4.sec04

1.2.4.sec09

1.2.4.sec10

1.2.5

1.2.6

1.2.7

1.2.7.sec01

1.2.7.sec04

1.2.7.sec06

1.2.7.sec09

1.2.7.sec10

1.2.8

1.2.8.sec01

1.2.8.sec04

1.2.8.sec05

1.2.8.sec06

1.2.8.sec09

1.2.8.sec10

1.2.8.sec10_noneautotype

1.2.8_noneautotype

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.13.sec01

1.2.14

1.2.14.sec01

1.2.14.sec10

1.2.15

1.2.16

1.2.16.sec01

1.2.16.sec04

1.2.16.sec10

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.2.25

1.2.25.sec10

1.2.26

1.2.27

1.2.27.sec06

1.2.27.sec09

1.2.27.sec10

1.2.28

1.2.28.odps

1.2.29

1.2.29.sec04

1.2.29.sec06

1.2.29.sec09

1.2.29.sec10

1.2.30

1.2.31

1.2.31.sec10

1.2.31_noneautotype

1.2.32

1.2.33

1.2.34

1.2.35

1.2.36

1.2.37

1.2.38

1.2.39

1.2.40

1.2.41

1.2.42

1.2.43

1.2.44

1.2.45

1.2.46

1.2.47

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-jm7w-5684-pvh8/GHSA-jm7w-5684-pvh8.json"