CVE-2025-70974

critical

Red Hat

CVSS v3 Base Score

10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Published: January 9, 2026

Last Modified: January 9, 2026

Vendor: Red Hat

Description

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

CWE

CWE-829

Affected Products

OpenShift Service Mesh 2Red Hat build of Apache Camel for Spring Boot 4Red Hat build of Debezium 2Red Hat build of Debezium 3Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion Pack

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 cert.360.cn 🔗 github.com

CVE-2025-70974

Vulnerability Report

Description

CWE

Affected Products

References