Critical Fastjson Vulnerability: How to Secure Your Java Apps Now
A newly discovered Fastjson vulnerability affecting versions up to 1.2.80 can bypass autoType restrictions, enabling remote attacks, and the advisory outlines the risk, affected versions, upgrade paths, safeMode hardening, the fastjson v2 migration, and none‑autotype alternatives to protect Java applications.
1. Risk Description
Fastjson uses black/white lists to defend against deserialization vulnerabilities; the exploit can bypass the default autoType‑off restriction under certain conditions, allowing remote code execution, which poses a significant risk.
Fastjson users are advised to take immediate security measures.
2. Affected Versions
Versions ≤ 1.2.80 are affected when specific dependencies are present.
3. Upgrade Plan
3.1 Upgrade to the latest version 1.2.83
https://github.com/alibaba/fastjson/releases/tag/1.2.83
This version changes autoType behavior and may cause incompatibility; evaluate business impact before upgrading.
3.2 Enable safeMode
Since 1.2.68, Fastjson introduced safeMode; when enabled, autoType is disabled regardless of whitelist or blacklist, preventing gadget‑based attacks. Consider the impact on your application.
3.2.1 How to enable
Refer to: https://github.com/alibaba/fastjson/wiki/fastjson_safemode
3.2.2 Is safeMode needed with version ≥ 1.2.83?
Version 1.2.83 fixes the reported vulnerability; enabling safeMode fully disables autoType, avoiding similar issues, but may affect compatibility.
3.2.3 Is upgrade required when safeMode is enabled?
Enabling safeMode is not impacted by this vulnerability; upgrading is optional.
3.3 Upgrade to fastjson v2
https://github.com/alibaba/fastjson2/releases
Fastjson 2.0 removes the whitelist, improves security, and rewrites the code for better performance, but it is not fully compatible with 1.x; thorough compatibility testing is required.
3.4 noneautotype versions
After May 26, noneautotype builds are provided to meet security hardening needs; they work like safeMode by completely disabling autoType.
Users of noneautotype versions are not affected by this vulnerability.
https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.8_noneautotype/
https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.48_noneautotype/
https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.54_noneautotype/
https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.60_noneautotype/
https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.71_noneautotype/
Apply the fixes promptly to keep your systems safe.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Backend Technology
Focus on Java-related technologies: SSM, Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading. Occasionally cover DevOps tools like Jenkins, Nexus, Docker, and ELK. Also share technical insights from time to time, committed to Java full-stack development!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.