THREATOPS
THREAT OPSThreat News › [NVD] CVE-2025-70974 (CRITICAL 10.0) — Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection

[NVD] CVE-2025-70974 (CRITICAL 10.0) — Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection

lownvdPublished 2026-01-09

CVE-2025-70974 CVSS: 10.0 CRITICAL Published: 2026-01-09T07:16:02.677

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhe

Indicators of compromise

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-70974