Fastjson <=1.2.68 Remote Code Execution Vulnerability and Mitigation Recommendations

Fastjson's latest version is 1.2.68, meaning all earlier versions are affected.

Dear Tencent Cloud user,

Tencent Cloud Security Operations Center recently detected that Fastjson versions ≤1.2.68 have a remote code execution vulnerability that can be exploited to obtain server permissions.

To prevent impact, Tencent Cloud Security advises you to conduct a security self‑check and, if affected, update promptly to avoid intrusion.

Vulnerability Details

Fastjson is Alibaba's open‑source JSON parsing library that can parse JSON strings, serialize Java beans to JSON, and deserialize JSON to Java objects.

Researchers from Tencent's Xuanwu Lab discovered that the restriction on the autotype switch can be bypassed, allowing chain deserialization of classes that are normally unsafe.

The exploit leverages gadgets; the involved classes must not be on the blacklist, and this vulnerability cannot bypass the blacklist restriction.

Risk Level

High

Vulnerability Impact

Remote code execution, granting attacker system privileges on the server.

Affected Versions

Fastjson ≤ 1.2.68

Mitigation Recommendations

As of this announcement, no newer official version is released. You can apply the following mitigations:

1) Monitor official updates and upgrade to version 1.2.69 when available.

2) Upgrade to Fastjson 1.2.68 and enable SafeMode by configuring the following parameter:

ParserConfig.getGlobalInstance().setSafeMode(true); SafeMode completely disables autotype, ignoring the whitelist; assess any impact on your application.

3) Consider replacing Fastjson with alternatives such as Jackson‑databind or Gson.

Note: Back up your data before applying patches to avoid accidental loss.