External risk intelligence

Fastjson AutoType JNDI Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2025-70974

Fastjson is a widely used Java library integrated into numerous internet-facing web applications and API services to process incoming JSON data. Because it is frequently deployed as a core component of web application backends that parse unauthenticated user input, it presents a common, externally reachable attack surface.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Fastjson, a widely used Java library, allows attackers to potentially inject malicious code by exploiting how the library processes specific JSON data. This issue has been observed in active exploitation across various instances from 2023 to 2025, posing a significant risk to applications that rely on this library for data processing. The primary concern is to confirm whether our systems utilize this vulnerable component and are exposed.

  • A serious flaw exists in a common Java data processing tool.
  • It has been actively exploited in recent years.
  • Confirm relevance and exposure of this Java library.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted JSON document to an application that uses the vulnerable library. If the application parses this JSON, the library may be tricked into executing arbitrary code through JNDI injection. This can lead to complete system compromise.

  • No authentication required.
  • Vulnerable JSON parsing.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When an @type key is present in a JSON document, and its value is a Java class name, the system may execute public methods of that class. This can lead to JNDI injection with an attacker-supplied payload, potentially affecting system data and service behavior when supported by the advisory's context.

  • Java application servers.
  • Remote code execution via crafted JSON.
  • Compromise of backend systems.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for applications leveraging the Fastjson library should prioritize identifying all instances of the affected technology. This initial step is crucial for assessing business criticality and exposure, which will then inform the risk-based remediation planning and coordination with vendor management if necessary.

  • Application owners should lead remediation efforts.
  • Verify all Fastjson deployments and reachability.
  • Plan immediate remediation or risk reduction.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Fastjson and how is it used?

Fastjson is a Java library designed to convert Java objects into JSON format and vice versa. Developers integrate it into web applications and API services to handle data exchange efficiently. Because it is a foundational component for parsing JSON, it is often found deep within the backend architecture of many enterprise systems where it automatically processes incoming information from users or other services.

What is the vulnerability in CVE-2025-70974?

This vulnerability falls under the weakness class of Inclusion of Functionality from Untrusted Control Sphere. It occurs because the library's 'autoType' feature can be manipulated to instantiate unexpected Java classes when parsing specific JSON input. This mechanism effectively allows an attacker to force the application to execute arbitrary code via JNDI injection, turning a routine data processing task into a vehicle for unauthorized system control.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by submitting a malicious JSON document containing an '@type' key directed at a specific Java class. The vulnerability requires the application to actively parse this crafted input. It is important to note that merely having the Fastjson library present in a project directory is not enough; the application must be configured to process JSON that includes these specific class-type instructions for the exploit to initiate.

Do I need to worry about this if my app is internal?

While the Halo Surface Signal indicates this library is frequently found in internet-facing web applications, internal systems are not necessarily immune. If your internal application processes untrusted data—even from other internal services—it could still be at risk. The primary factor is whether the application is reachable by a source that can supply the specially crafted JSON payload required to manipulate the library's parsing logic.

How should I respond to CVE-2025-70974?

Begin by auditing your software inventory to identify which applications include Fastjson versions prior to 1.2.48. Once identified, prioritize these systems based on their connectivity and the sensitivity of the data they handle. Coordinate with your development or vendor management teams to plan updates, as the focus must be on moving to a patched version of the library or implementing the necessary security configurations to disable the risky autoType functionality.

References