Why We’re Dropping Fastjson: A Deep Dive into Its API, Performance, and Security Risks

Background

Multiple JSON libraries (Fastjson, Gson, Jackson) were used in a legacy project, causing larger JAR sizes and increasing the attack surface. A new project therefore standardises on a single JSON library to reduce binary size and avoid library‑specific vulnerabilities.

Fastjson Overview

Fastjson is an open‑source JSON parser from Alibaba, written in Java. It maps JSON strings to JavaBeans (and vice‑versa) using a fast matching algorithm. It is widely used for cache serialization, protocol interaction and web output.

Minimal Fastjson Example

Add the Maven dependency (version ≥ 1.2.70 to include all security patches):

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.70</version>
</dependency>

Define a simple JavaBean:

public class User {
    private String userName;
    private int age;
    private String address;
    // getters & setters
}

Serialize and deserialize:

public static void main(String[] args) {
    String json = "{\"address\":\"Beijing\",\"age\":28,\"user_name\":\"Tom\"}";
    // JSON → JavaBean
    User user = com.alibaba.fastjson.JSONObject.parseObject(json, User.class);
    System.out.println(user);
    // JavaBean → JSON
    String result = com.alibaba.fastjson.JSONObject.toJSONString(user);
    System.out.println(result);
}

Fastjson automatically maps the snake_case key user_name to the camelCase field userName:

User(userName=Tom, age=28, address=Beijing)
{"address":"Beijing","age":28,"userName":"Tom"}

Key Fastjson APIs

parse(String text)

– parse JSON to JSONObject or

JSONArray

parseObject(String text)

– parse to

JSONObject

parseObject(String text, Class<T> clazz)

– parse to a JavaBean parseArray(String text) – parse to

JSONArray

parseArray(String text, Class<T> clazz)

– parse to a list of JavaBeans toJSONString(Object object) – serialize a Java object toJSONString(Object object, boolean prettyFormat) – pretty‑print JSON toJSON(Object javaObject) – convert to JSONObject /

JSONArray

Vulnerability History – AutoType

Fastjson’s AutoType feature embeds a @type field in the JSON payload so that the parser can instantiate the original class during deserialization. This enables arbitrary class loading and has been the root cause of several high‑severity remote‑code‑execution (RCE) vulnerabilities.

Patch history (1.2.59 → 1.2.70) shows incremental hardening:

1.2.59 – improve AutoType security
1.2.60 – add AutoType blacklist (fix DoS)
1.2.61 – extend blacklist
1.2.62 – add blacklist, improve date deserialization
1.2.66 – security hardening, blacklist
1.2.67 – security hardening, blacklist
1.2.68 – introduce safeMode (disables AutoType)
1.2.69 – fix critical AutoType bypass
1.2.70 – enhance compatibility, blacklist

To mitigate the risk, projects can:

Upgrade to at least 1.2.70.

Enable ParserConfig.getGlobalInstance().setSafeMode(true) or set the system property fastjson.parser.safeMode=true to disable AutoType completely.

Define an explicit whitelist via ParserConfig.getGlobalInstance().addAccept("com.myapp.") if AutoType is required.

Reasons for Abandoning Fastjson

Popularity

According to Maven Central statistics, Fastjson ranks fourth among JSON‑in‑Java libraries, behind Jackson and Gson. Lower community adoption translates to fewer contributors, slower issue resolution and less documentation in English.

Design and Code Quality

Critiques point to sub‑optimal code quality, limited English documentation, and reliance on “tricks” that compromise strict JSON compliance and Java compatibility. The library’s internal optimisations sometimes break standard behaviours (e.g., handling of abstract types).

Open Issues

At the time of writing the GitHub repository had over 1,400 open issues, indicating ongoing maintenance challenges and potential instability.

Security Track Record

Repeated AutoType‑related vulnerabilities, despite patches, demonstrate a historically fragile security model. Even with safe‑mode enabled, legacy code may still be vulnerable if older versions are present on the classpath.

Conclusion

Fastjson provides convenient APIs and high performance, but its lower popularity, design compromises, large backlog of open issues, and a history of serious AutoType vulnerabilities make it a risky choice for new projects. Replacing Fastjson with more actively maintained libraries such as Jackson or Gson reduces the attack surface and benefits from larger community support.