CVE-2025-70974
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: MITRE

Description
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70974
EUVD
EUVD-2026-1694
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
alibaba fastjson to 1.2.48 (exc)
alibaba fastjson From 1.2.48 (inc)
alibaba fastjson 1.2.58
alibaba fastjson From 1.2.69 (inc)
alibaba fastjson From 1.2.60 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70974 is a remote code execution vulnerability in the Fastjson JSON parsing library. It occurs because Fastjson mishandles the autoType feature, allowing an attacker to supply a specially crafted JSON document containing an @type key with a Java class name. This can lead to calls to certain public methods of that class, potentially enabling JNDI injection attacks with attacker-controlled payloads. The vulnerability arises from unsafe deserialization of user-controlled JSON strings and affects Fastjson versions up to 1.2.47. It does not require the autotype feature to be enabled, making even default configurations vulnerable. This flaw was exploited in the wild from 2023 through 2025 and is related to earlier Fastjson vulnerabilities. [1]

Impact Analysis

This vulnerability can lead to remote code execution on systems using vulnerable versions of Fastjson, allowing attackers to execute arbitrary code remotely. Exploitation has been observed in the wild, including by the Androxgh0st botnet, which used it to compromise systems such as a University of California subdomain. Impacts include unauthorized access to critical infrastructure, data breaches exposing personally identifiable information (PII) and sensitive configurations, deployment of persistent webshells for ongoing control, cryptomining activities on compromised servers, and potential brand damage. The vulnerability also increases the risk of regulatory and legal consequences due to unpatched critical flaws. [2]

Compliance Impact

This vulnerability can lead to unauthorized access and data breaches involving personally identifiable information (PII) and sensitive configurations. Such breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring system security. Failure to patch and mitigate this vulnerability may expose organizations to regulatory penalties, legal risks, and reputational damage. [2]

Detection Guidance

Detection of CVE-2025-70974 exploitation involves monitoring for suspicious JNDI/RMI activity, especially targeting class loaders or Jackson databind components. Network monitoring should focus on outbound RMI, LDAP, and JNDI traffic that could indicate exploitation attempts. Additionally, logs should be reviewed for suspicious POST parameters (e.g., containing 'abu'), command injection patterns such as ';cat /etc/passwd', OGNL expressions, and beaconing to known malicious domains (e.g., subdomains under .oast.me, .oast.today, .oast.fun, .oast.live, .oast.site). File system audits for unexpected PHP webshell files (e.g., abuok.php, myabu.php, scwj.php, baocun.php, baocun.php) are also recommended. Specific commands to detect exploitation could include: 1) Network traffic capture and filtering for outbound LDAP, RMI, and JNDI connections (e.g., using tcpdump or Wireshark). 2) Searching server logs for suspicious POST requests containing keywords like 'abu' or command injection patterns (e.g., grep -r 'abu' /var/log/ or grep -r ';cat /etc/passwd' /var/log/). 3) File system scans for unexpected PHP files (e.g., find /var/www -name '*.php' -exec grep -l 'eval' {} \;). 4) Monitoring DNS queries or HTTP requests to known malicious domains associated with the botnet. These detection methods help identify exploitation attempts and post-exploitation activities related to this vulnerability. [2]

Mitigation Strategies

The primary mitigation step is to upgrade Fastjson to the latest secure version, specifically version 1.2.58 or later, as versions 1.2.47 and earlier are vulnerable. Additionally, patch all affected systems against related CVEs mentioned in the context (e.g., Apache Shiro, Spring4Shell, Jackson databind). Network-level mitigations include restricting outbound RMI, LDAP, and JNDI traffic via firewalls to prevent exploitation. Deploy Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) solutions to detect and block malicious payloads. Harden and monitor CMS plugins, especially WordPress plugins like 'Popup Maker'. Regularly audit file systems for unexpected PHP webshells and suspicious files. Monitor logs for indicators of compromise such as suspicious POST parameters, command injection attempts, and connections to known malicious domains. These combined steps reduce the risk of exploitation and help detect ongoing attacks. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart