Fastjson 1.2.80 and Earlier Vulnerability: Risks, Affected Versions, and Upgrade Recommendations

1. Risk Description

Fastjson uses a black‑white list to defend against deserialization attacks, but a newly discovered exploit can bypass the default autoType restriction under certain conditions, allowing remote code execution and posing a high‑impact security risk.

Fastjson users are strongly recommended to take immediate security measures.

2. Affected Versions

All versions up to and including 1.2.80 are affected when specific dependencies are present.

3. Upgrade Plan

3.1 Upgrade to the latest version 1.2.83

https://github.com/alibaba/fastjson/releases/tag/1.2.83

This version fixes the reported vulnerability, but it introduces changes to autoType behavior that may cause incompatibility in some scenarios.

3.2 SafeMode Hardening

Since version 1.2.68, Fastjson provides a safeMode configuration. When enabled, both whitelist and blacklist are ignored and autoType is completely disabled, effectively preventing gadget‑based deserialization attacks. Enabling safeMode may affect business logic and should be evaluated carefully.

3.2.1 Enabling Method

Refer to the official documentation:

https://github.com/alibaba/fastjson/wiki/fastjson_safemode

3.2.2 Is safeMode needed after upgrading to 1.2.83?

Version 1.2.83 patches the vulnerability, and enabling safeMode will fully disable autoType, preventing similar issues in the future. However, assess potential compatibility impact before activation.

3.2.3 Does enabling safeMode require an upgrade?

Enabling safeMode is not affected by this specific vulnerability, so an upgrade is optional if you only rely on safeMode.

3.3 Upgrade to Fastjson v2

Fastjson v2 repository:

https://github.com/alibaba/fastjson2/releases

Fastjson 2.0 removes the whitelist mechanism, improving security, and has been rewritten for better performance. It is not fully compatible with the 1.x API, so thorough compatibility testing is required before migration.

3.4 noneautotype Versions

After May 26, a noneautotype build is provided for users who need a drop‑in replacement with the same effect as safeMode (autoType completely disabled). Users of these builds are not affected by the current vulnerability.

https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.8_noneautotype/

https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.48_noneautotype/

https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.54_noneautotype/

https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.60_noneautotype/

https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.71_noneautotype/

Please apply the appropriate fix promptly to keep your systems safe.