Fastjson zero-day RCE vulnerability detected on July 23, 2019

Edit in GitHub

Last Updated: Sep 29, 2020 Edit in GitHub

On July 23, 2019, Alibaba Cloud Security emergency response center discovered a zero-day remote code execution (RCE) vulnerability in Fastjson. Attackers can exploit the vulnerability and bypass blacklist policies to execute malicious code.

Vulnerability name

Fastjson zero-day RCE vulnerability

Vulnerability description

Attackers can exploit the zero-day vulnerability to craft a request and bypass Fastjson blacklist policies to execute malicious code. For example, an attacker can craft a request and remotely execute specified commands on a server. In this example, a calculator program is running.

Affected versions

Fastjson 1.2.24 and earlier
Fastjson 1.2.41 to 1.2.45

Solution

Upgrade Fastjson to the latest version. We recommend that you upgrade Fastjson to 1.2.58.

Note We recommend that you also upgrade Fastjson outside the affected versions.

Upgrade method

You can update Maven dependency configurations to upgrade Fastjson to 1.2.58.

<dependency>
 <groupId>com.alibaba</groupId>
 <artifactId>fastjson</artifactId>
 <version>1.2.58</version>
</dependency>

Protection recommendations

By default, WAF protects against the zero-day vulnerability in Fastjson. You only need to enable the protection function.