CVE-2025-51742 is a critical deserialization vulnerability identified in the jishenghua JSH_ERP software, specifically version 2.3.1. The vulnerability exists in the /material/getMaterialEnableSerialNumberList API endpoint, which accepts a search query parameter that is directly passed to Fastjson's parseObject() method. Fastjson is a widely used Java library for JSON parsing and serialization. Improper handling of untrusted input in parseObject() can lead to deserialization of malicious payloads. In this case, attackers can craft specially designed JSON payloads that exploit Fastjson's deserialization mechanism to execute arbitrary Java code remotely. The vulnerability leverages JDBC payloads, which are known to enable remote code execution by invoking database-related classes and methods during deserialization. This flaw does not require authentication or user interaction, making it highly exploitable in exposed environments. No CVSS score has been assigned yet, and no public exploits have been reported, but the technical details indicate a severe risk. The vulnerability was reserved in June 2025 and published in November 2025, indicating recent discovery. The lack of available patches at the time of reporting heightens the urgency for mitigation through configuration changes and input validation. Organizations using JSH_ERP in critical infrastructure or manufacturing should prioritize risk assessment and containment.

For European organizations, the impact of CVE-2025-51742 could be severe. JSH_ERP is an enterprise resource planning system likely used in manufacturing, supply chain management, and materials tracking—sectors vital to European industrial economies. Successful exploitation could lead to full remote code execution on ERP servers, allowing attackers to manipulate business-critical data, disrupt operations, or move laterally within networks. Confidentiality of sensitive corporate data and intellectual property could be compromised, and integrity of inventory and production records could be undermined. Availability of ERP services might be affected by attacker-induced system crashes or ransomware deployment. Given the ERP’s role in operational continuity, such disruptions could cause significant financial losses and reputational damage. The lack of authentication requirement and ease of exploitation increase the risk of widespread attacks if the software is internet-facing or insufficiently segmented. European organizations with digital supply chains and manufacturing plants are particularly vulnerable to operational and economic impacts.

To mitigate CVE-2025-51742, organizations should immediately implement strict input validation on all parameters accepted by the /material/getMaterialEnableSerialNumberList endpoint to prevent malicious JSON payloads from reaching Fastjson's parseObject(). Disabling or restricting Fastjson features that allow arbitrary type deserialization is critical; this can be done by configuring Fastjson's ParserConfig to whitelist only safe classes or by upgrading to a Fastjson version that enforces safer defaults. Network segmentation should be enforced to limit exposure of the ERP system to untrusted networks, and web application firewalls (WAFs) can be configured to detect and block suspicious JSON payloads. Monitoring and logging of API requests should be enhanced to detect anomalous deserialization attempts. Organizations should engage with the vendor for patches or updates addressing this vulnerability and apply them promptly once available. Additionally, conducting penetration testing focused on deserialization vulnerabilities can help identify residual risks. Backup and incident response plans should be reviewed and tested to prepare for potential exploitation scenarios.