On July 23, 2019, Alibaba Cloud Security emergency response center discovered a zero-day remote code execution (RCE) vulnerability in Fastjson. Attackers can exploit the vulnerability and bypass blacklist policies to execute malicious code.
Vulnerability name
Fastjson zero-day RCE vulnerability
Vulnerability description
Attackers can exploit the zero-day vulnerability to craft a request and bypass Fastjson blacklist policies to execute malicious code. For example, an attacker can craft a request and remotely execute specified commands on a server. In this example, a calculator program is running.

Affected versions
- Fastjson 1.2.24 and earlier
- Fastjson 1.2.41 to 1.2.45
Solution
Upgrade Fastjson to the latest version. We recommend that you upgrade Fastjson to 1.2.58.Upgrade method
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.58</version>
</dependency>
Protection recommendations
By default, WAF protects against the zero-day vulnerability in Fastjson. You only need to enable the protection function.