THREAT OPS › Threat News › [NVD] CVE-2025-70974 (CRITICAL 10.0) — Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection
[NVD] CVE-2025-70974 (CRITICAL 10.0) — Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection
CVE-2025-70974 CVSS: 10.0 CRITICAL Published: 2026-01-09T07:16:02.677
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhe
Indicators of compromise
- CVE-2025-70974cve
- CVE-2017-18349cve
- CVE-2022-25845cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-70974