Deserialization of Untrusted Data (Java JSON Deserialization) Fastjson
Description
This vulnerability occurs when a web application deserializes untrusted JSON data using the Fastjson library with Polymorphic Type Handling enabled. Deserialization is the process of converting structured data back into objects, and when performed on untrusted input, it can allow attackers to instantiate arbitrary classes. Fastjson's AutoType feature, which enables polymorphic deserialization, can be exploited to execute malicious code by crafting JSON payloads that instantiate dangerous classes (deserialization gadgets). This vulnerability has been identified in your application through successful exploitation using a known Fastjson deserialization gadget.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade Fastjson Library:
Update to Fastjson version 1.2.83 or later, which includes security patches for known deserialization vulnerabilities. Update your dependency configuration:
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.83</version>
</dependency>2. Disable AutoType Feature:
Explicitly disable Fastjson's AutoType feature, which enables polymorphic deserialization:
ParserConfig.getGlobalInstance().setAutoTypeSupport(false);
3. Use SafeMode (Fastjson 1.2.68+):
Enable SafeMode to completely disable AutoType functionality:
ParserConfig.getGlobalInstance().setSafeMode(true);
4. Implement Input Validation:
Validate and sanitize all JSON input before deserialization. Consider using a whitelist approach to only allow expected data structures.
5. Consider Alternative Libraries:
Evaluate migrating to more secure JSON libraries such as Jackson or Gson, which have better security defaults and do not enable polymorphic deserialization by default.