Critical Fastjson RCE Vulnerability (≤1.2.68): Risks, Impact, and Fixes
On May 28, 2020, 360CERT reported a high‑severity remote code execution flaw in Alibaba’s Fastjson library (versions ≤1.2.68) that bypasses autotype restrictions, affecting many assets, and provided temporary mitigation steps and upgrade recommendations to safeguard systems.
0x01 Vulnerability Background
On May 28, 2020, 360CERT detected a high‑severity remote code execution (RCE) vulnerability in Fastjson, Alibaba’s open‑source JSON parsing library for Java.
Fastjson can serialize Java objects to JSON and deserialize JSON back to Java objects. The flaw allows attackers to bypass the autotype switch restriction, craft a malicious deserialization chain, and achieve remote command execution. Exploitation requires a chain not blocked by Fastjson’s blacklist.
0x02 Risk Rating
360CERT rates the vulnerability as High severity with a Broad impact scope.
0x03 Affected Versions
Fastjson versions ≤ 1.2.68 are vulnerable.
0x04 Mitigation Recommendations
Temporary Fix
Upgrade to Fastjson 1.2.68 and enable SafeMode to disable autotype: ParserConfig.getGlobalInstance().setSafeMode(true); Note that SafeMode disables autotype entirely, which may affect business logic and should be evaluated.
0x05 Timeline
2020‑05‑28: 360CERT observed the security advisory from other vendors.
2020‑05‑28: 360CERT issued its own warning.
0x06 References
Fastjson ≤1.2.68 Remote Code Execution Advisory: https://cloud.tencent.com/announce/detail/1112
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.