Critical Fastjson Deserialization Flaw Fixed – What You Need to Know

Vulnerability Description

Fastjson is an open‑source Java library from Alibaba for fast conversion between Java objects and JSON strings.

Versions 1.2.80 and earlier use a black‑ and white‑list to defend against deserialization attacks; research shows that under certain conditions the defense can be bypassed, allowing remote code execution via autoType when it is not explicitly disabled.

Affected Scope

Fastjson <= 1.2.80, if safeMode is enabled the vulnerability does not apply

Remediation Recommendations

The Fastjson development team has published a security fix. Users should follow the official security update (https://github.com/alibaba/fastjson/wiki/security_update_20220523) and choose one of the following actions:

Upgrade to the latest 1.2.83 release

Download the new version at https://github.com/alibaba/fastjson/releases/tag/1.2.83. Note that this version changes autoType behavior and may cause incompatibilities; issues can be reported at https://github.com/alibaba/fastjson/issues.

Enable safeMode

Since version 1.2.68, Fastjson provides safeMode. When enabled, both white‑ and black‑lists are ignored and autoType is disabled, preventing gadget‑based deserialization attacks. See https://github.com/alibaba/fastjson/wiki/fastjson_safemode for configuration details.

Migrate to Fastjson v2

Fastjson v2 (https://github.com/alibaba/fastjson2/releases) removes the whitelist entirely, improving security. The codebase has been rewritten with significant performance gains, but it is not fully compatible with 1.x, so thorough compatibility testing is required. Issues can be filed at https://github.com/alibaba/fastjson2/issues.