Fastjson Remote Code Execution Vulnerability – Background, Risk, Affected Versions, and Mitigation
The article details the high‑severity Fastjson remote code execution vulnerability discovered on May 28 2020, describing its background, risk assessment, affected versions (≤ 1.2.68), recommended temporary mitigation using SafeMode, a timeline of events, and reference links for further information.
0x01 Vulnerability Background
On May 28, 2020, 360CERT reported a high‑severity remote code execution vulnerability in Alibaba’s open‑source Fastjson library, which parses JSON strings to Java objects.
Fastjson’s autotype feature can be bypassed, allowing attackers to craft deserialization chains that execute arbitrary commands; the exploit requires a chain not blocked by Fastjson’s blacklist.
At the time of the advisory, no fixed version (≥1.2.69) was released; users were urged to monitor updates and apply temporary mitigations.
0x02 Risk Level
360CERT rates the vulnerability as High severity with a wide impact.
Assessment Method – Level
Threat level: High Impact scope: Wide
0x03 Affected Versions
Fastjson versions ≤ 1.2.68 are vulnerable.
0x04 Mitigation Recommendations
Temporary fix:
Upgrade to Fastjson 1.2.68 and enable SafeMode via ParserConfig.getGlobalInstance().setSafeMode(true); (note that SafeMode disables autotype entirely, so assess business impact).
0x05 Timeline
2020‑05‑28: Vulnerability notice detected by 360CERT.
2020‑05‑28: 360CERT issued an alert.
0x06 References
https://cloud.tencent.com/announce/detail/1112?from=timeline&isappinstalled=0
Official announcement
https://github.com/alibaba/fastjson/releases
Architecture Digest
Focusing on Java backend development, covering application architecture from top-tier internet companies (high availability, high performance, high stability), big data, machine learning, Java architecture, and other popular fields.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.