CVE-2022-25845
Unsafe deserialization in com.alibaba:fastjson
8.1
HIGH
CVSS 3.1
EPSS 88.3%
Description
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
How to fix CVE-2022-25845
To remediate CVE-2022-25845, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.83 or later
Is CVE-2022-25845 being exploited?
Likely — EPSS is 88.3%, placing CVE-2022-25845 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- >= 1.2.25, < 1.2.83
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |