A newly discovered Fastjson vulnerability affecting versions up to 1.2.80 can bypass autoType restrictions, enabling remote attacks, and the advisory outlines the risk, affected versions, upgrade paths, safeMode hardening, the fastjson v2 migration, and none‑autotype alternatives to protect Java applications.
Fastjson versions up to 1.2.80 contain a deserialization vulnerability that can bypass autoType restrictions, posing significant remote attack risk; users are advised to upgrade to the latest 1.2.83 release, enable safeMode or use the noneautotype builds, and consider migrating to Fastjson 2.0 for enhanced security.
Fastjson versions up to 1.2.80 contain a deserialization flaw that can bypass the default autoType restriction, but the issue is mitigated by safeMode; the Fastjson team has released patches, recommending upgrades to 1.2.83, enabling safeMode, or migrating to Fastjson v2 for enhanced security.
This article examines Fastjson's AutoType feature, explains how it works, demonstrates how it can lead to serious deserialization vulnerabilities, reviews the evolution of related security patches across versions, and provides guidance on safe usage and mitigation strategies.
Tencent Cloud Security reports that Fastjson versions up to 1.2.68 contain a high‑risk remote code execution vulnerability exploitable via the autotype feature, allowing attackers to gain server system privileges, and recommends immediate updates, enabling SafeMode, or replacing the library with alternatives such as Jackson‑databind or Gson.
