CVE-2022-25845: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2022-25845) affects Fastjson versions prior to 1.2.83, allowing attackers to bypass the default autoType shutdown restrictions and potentially execute code on remote servers. The vulnerability was discovered in June 2022 and affects Java applications that rely on Fastjson and pass user-controlled data to specific JSON parsing APIs (JFrog Security, Alibaba Security).

The vulnerability exists in Fastjson's AutoType feature, which when enabled, can induce the type for JSON entries. The vulnerability allows an attacker to bypass the AutoType mechanism's disabled-by-default policy specifically when the target class extends the Throwable class. The vulnerability has a CVSS score of 8.1, indicating high severity. The issue specifically affects applications that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize (JFrog Security).

While the vulnerability potentially allows for remote code execution (RCE), its real-world impact is limited due to specific conditions required for exploitation. The attacker can only invoke Java deserialization gadget classes that extend the Throwable class, which significantly constrains the vulnerability's practical impact. Currently, only a single compatible gadget class from the Selenium package has been publicly identified, which causes low-impact data leakage (JFrog Security).

Several mitigation options are available: 1) Upgrade to Fastjson version 1.2.83 or later, 2) Enable Fastjson's 'Safe Mode' which can be done via code (ParserConfig.getGlobalInstance().setSafeMode(true)), JVM parameters (-Dfastjson.parser.safeMode=true), or configuration file (fastjson.parser.safeMode=true), 3) Consider upgrading to Fastjson v2, which provides better security but requires compatibility testing (Alibaba Security).