On June 22, 2019, Alibaba Cloud Security emergency response center discovered a zero-day remote code execution (RCE) vulnerability in Fastjson. Attackers can exploit the vulnerability and bypass blacklist policies to execute malicious code.
Vulnerability name
Fastjson zero-day RCE vulnerability
Vulnerability description
Attackers can exploit the zero-day vulnerability to craft a request and bypass Fastjson
blacklist policies to execute malicious code. For example, an attacker can craft a
request and remotely execute specified commands on a server. In this example, a calculator
program is running.

Affected versions
Fastjson versions earlier than 1.2.48
Solution
Upgrade Fastjson to the latest version. We recommend that you upgrade Fastjson to 1.2.58.Note We recommend that you also upgrade Fastjson outside the affected versions.
Upgrade method
You can update Maven dependency configurations to upgrade Fastjson to 1.2.58.
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.58</version>
</dependency>
Protection recommendations
By default, WAF protects against the zero-day vulnerability in Fastjson. You only need to enable the protection function.
Note If you use custom protection rules, you must add the following rule to a custom rule
group. For more information, see Customize protection rule groups.
