AVID-2026-R1003

Description

Deserialization of Untrusted Data (CVE-2022-25845)

Details

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.

Reason for inclusion in AVID: CVE-2022-25845 describes a deserialization of untrusted data vulnerability in the com.alibaba:fastjson library (versions before 1.2.83), allowing remote code execution by bypassing autoType shutdown restrictions. This is a software supply-chain risk in a widely-used library that can be part of AI data ingestion, processing, or service stacks. Although not AI-specific, such libraries are commonly used in components that build, deploy, or serve AI systems, making this a relevant vulnerability in the AI software stack. The CVE has clear security impact (RCE, remote exploitation) and is well-documented with multiple references. Therefore it qualifies as an AI-related supply-chain vulnerability with sufficient evidence.

References

• NVD entry
• https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
• https://www.ddosi.org/fastjson-poc/
• https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
• https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
• https://github.com/alibaba/fastjson/wiki/security_update_20220523
• https://github.com/alibaba/fastjson/releases/tag/1.2.83
• https://www.oracle.com/security-alerts/cpujul2022.html

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-06-10
• Version: 0.3.3
• AVID Entry