com.alibaba:fastjson

Maven3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting com.alibaba:fastjsonpage 1 of 1

CVE-2017-18349CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.2.31
2018-10-23
vulnerable: 1.1.15 ... 1.2.9 (161 versions)
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceNam…
CVE-2022-25845HIGHCVSS 8.1EG 9.0✓ Fixed in 1.2.83
2022-06-10
vulnerable: 1.2.25 ... 1.2.80 (104 versions)
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows at…
CVE-2025-70974CRITICALCVSS 10.0EG 10.0✓ Fixed in 1.2.48
2026-01-09
vulnerable: 1.1.15 ... 1.2.9 (180 versions)
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of th…

Check whether com.alibaba:fastjson is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for com.alibaba:fastjson CVEs against the assets you own.

Start Free Scan →