CVE-2025-51743
Published: 25 November 2025
Summary
CVE-2025-51743 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jishenghua Jsherp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching and flaw remediation for the fastjson deserialization vulnerability in JSH_ERP directly eliminates the root cause of CVE-2025-51743 exploitation.
Information input validation on the /materialCategory/addMaterialCategory endpoint prevents deserialization of malicious fastjson payloads from untrusted sources.
Boundary protection with web application firewalls monitors and blocks crafted network requests targeting the unauthenticated deserialization endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated deserialization flaw in a public-facing web endpoint, directly enabling exploitation of public-facing applications for arbitrary code execution.
NVD Description
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.
Deeper analysisAI
CVE-2025-51743 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) discovered in jishenghua JSH_ERP version 2.3.1. It affects the /materialCategory/addMaterialCategory endpoint, which is vulnerable to fastjson deserialization attacks, mapped to CWE-502 (Deserialization of Untrusted Data). Published on 2025-11-25, this flaw enables insecure processing of untrusted data in the ERP system's material category management functionality.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no authentication privileges or user interaction. Exploitation involves sending a crafted request to the vulnerable endpoint, triggering deserialization of malicious fastjson payloads. This can result in high-impact compromise, including arbitrary code execution, data exfiltration, modification, or denial of service on the affected server.
Mitigation details and further technical analysis are available in referenced advisories, including the discovery report at https://blog.hackpax.top/jsh-erp2/, a proof-of-concept at https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9, and the vendor's repositories at https://gitee.com/jishenghua and https://gitee.com/jishenghua/JSH_ERP. Security practitioners should review these for patching guidance or workarounds specific to JSH_ERP deployments.
Details
- CWE(s)