CVE-2025-70974 - Fastjson JNDI Injection Vulnerability - Full Analysis

CVE ID : CVE-2025-70974 Published : Jan. 9, 2026, 6:43 a.m. | 23 minutes ago Description : Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. Severity: 10.0 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Source: Telegram CVE Monitor