Skip to main content

Q: What is the exploitation principle of the FastJSON vulnerability?

A: The attacker sends a malicious JSON payload within a request. The vulnerability arises when the JSON object is processed: the @type field is not filtered. This allows the attacker to supply a malicious TemplatesImpl class, which contains a field named _bytecodes. Certain functions generate Java instances based on this _bytecodes field. Consequently, FastJSON can instantiate a class provided via the payload, and the constructor is executed during that instantiation, leading to arbitrary code execution.