CVE-2025-70974
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alibaba | fastjson | to 1.2.48 (exc) |
| alibaba | fastjson | From 1.2.48 (inc) |
| alibaba | fastjson | 1.2.58 |
| alibaba | fastjson | From 1.2.69 (inc) |
| alibaba | fastjson | From 1.2.60 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70974 is a remote code execution vulnerability in the Fastjson JSON parsing library. It occurs because Fastjson mishandles the autoType feature, allowing an attacker to supply a specially crafted JSON document containing an @type key with a Java class name. This can lead to calls to certain public methods of that class, potentially enabling JNDI injection attacks with attacker-controlled payloads. The vulnerability arises from unsafe deserialization of user-controlled JSON strings and affects Fastjson versions up to 1.2.47. It does not require the autotype feature to be enabled, making even default configurations vulnerable. This flaw was exploited in the wild from 2023 through 2025 and is related to earlier Fastjson vulnerabilities. [1]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on systems using vulnerable versions of Fastjson, allowing attackers to execute arbitrary code remotely. Exploitation has been observed in the wild, including by the Androxgh0st botnet, which used it to compromise systems such as a University of California subdomain. Impacts include unauthorized access to critical infrastructure, data breaches exposing personally identifiable information (PII) and sensitive configurations, deployment of persistent webshells for ongoing control, cryptomining activities on compromised servers, and potential brand damage. The vulnerability also increases the risk of regulatory and legal consequences due to unpatched critical flaws. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized access and data breaches involving personally identifiable information (PII) and sensitive configurations. Such breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring system security. Failure to patch and mitigate this vulnerability may expose organizations to regulatory penalties, legal risks, and reputational damage. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-70974 exploitation involves monitoring for suspicious JNDI/RMI activity, especially targeting class loaders or Jackson databind components. Network monitoring should focus on outbound RMI, LDAP, and JNDI traffic that could indicate exploitation attempts. Additionally, logs should be reviewed for suspicious POST parameters (e.g., containing 'abu'), command injection patterns such as ';cat /etc/passwd', OGNL expressions, and beaconing to known malicious domains (e.g., subdomains under .oast.me, .oast.today, .oast.fun, .oast.live, .oast.site). File system audits for unexpected PHP webshell files (e.g., abuok.php, myabu.php, scwj.php, baocun.php, baocun.php) are also recommended. Specific commands to detect exploitation could include: 1) Network traffic capture and filtering for outbound LDAP, RMI, and JNDI connections (e.g., using tcpdump or Wireshark). 2) Searching server logs for suspicious POST requests containing keywords like 'abu' or command injection patterns (e.g., grep -r 'abu' /var/log/ or grep -r ';cat /etc/passwd' /var/log/). 3) File system scans for unexpected PHP files (e.g., find /var/www -name '*.php' -exec grep -l 'eval' {} \;). 4) Monitoring DNS queries or HTTP requests to known malicious domains associated with the botnet. These detection methods help identify exploitation attempts and post-exploitation activities related to this vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Fastjson to the latest secure version, specifically version 1.2.58 or later, as versions 1.2.47 and earlier are vulnerable. Additionally, patch all affected systems against related CVEs mentioned in the context (e.g., Apache Shiro, Spring4Shell, Jackson databind). Network-level mitigations include restricting outbound RMI, LDAP, and JNDI traffic via firewalls to prevent exploitation. Deploy Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) solutions to detect and block malicious payloads. Harden and monitor CMS plugins, especially WordPress plugins like 'Popup Maker'. Regularly audit file systems for unexpected PHP webshells and suspicious files. Monitor logs for indicators of compromise such as suspicious POST parameters, command injection attempts, and connections to known malicious domains. These combined steps reduce the risk of exploitation and help detect ongoing attacks. [1, 2]