SNYK-JAVA-COMALIBABA-2859222

## Overview [com.alibaba:fastjson](https://github.com/alibaba/fastjson) is a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default `autoType` shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. ## Workaround: If upgrading is not possible, you can enable [`safeMode`](https://github.com/alibaba/fastjson/wiki/fastjson_safemode). ## Details Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc. _Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution. ## Remediation Upgrade `com.alibaba:fastjson` to version 1.2.83 or higher. ## References - [GitHub Commit](https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d) - [GitHub Commit](https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15) - [GitHub Release](https://github.com/alibaba/fastjson/releases/tag/1.2.83) - [GitHub Wiki](https://github.com/alibaba/fastjson/wiki/security_update_20220523) - [PoC](https://www.ddosi.org/fastjson-poc/) - [PoC in GitHub](https://github.com/luelueking/CVE-2022-25845-In-Spring)