Search for packages
| purl | pkg:maven/com.alibaba/fastjson@1.2.2.sec10 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-b9ek-rpag-ryen
Aliases: CVE-2017-18349 GHSA-xjrr-xv9m-4pw5 |
Improper Input Validation Fastjson allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted `rmi://` URI in the `dataSourceName` field of HTTP POST data to the Pippo `/json` URI, which is mishandled in `AjaxApplication.java`. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-psg9-8bg6-6fb4
Aliases: CVE-2025-70974 GHSA-jm7w-5684-pvh8 |
FASTJSON Includes Functionality from Untrusted Control Sphere Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T06:37:09.569309+00:00 | GitLab Importer | Affected by | VCID-psg9-8bg6-6fb4 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.alibaba/fastjson/CVE-2025-70974.yml | 38.6.0 |
| 2026-06-04T20:16:40.955045+00:00 | GitLab Importer | Affected by | VCID-b9ek-rpag-ryen | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.alibaba/fastjson/CVE-2017-18349.yml | 38.6.0 |