Overview
CVE-2025-51742 details a critical vulnerability found in jishenghua JSH_ERP version 2.3.1. This vulnerability stems from improper handling of user-supplied input within the /material/getMaterialEnableSerialNumberList endpoint. Specifically, the application passes the search query parameter directly to the parseObject() method of the Fastjson library without adequate sanitization. This can be exploited to achieve Remote Code Execution (RCE) by crafting malicious JDBC payloads.
Technical Details
The root cause of this vulnerability lies in the insecure use of Fastjson’s deserialization capabilities. Fastjson, by default, supports deserializing Java objects from JSON strings. When uncontrolled user input is fed directly into parseObject(), an attacker can inject specially crafted JSON that forces Fastjson to instantiate arbitrary Java classes. In this case, a malicious actor can leverage this flaw to trigger JDBC connections, effectively executing arbitrary code on the server hosting the JSH_ERP application.
The vulnerable endpoint is /material/getMaterialEnableSerialNumberList. The search parameter, intended for filtering material data, is directly passed to the Fastjson parser. An attacker can inject a Fastjson payload (e.g., using dataSourceName with a malicious JDBC URL) within the search parameter to trigger an RCE.
CVSS Analysis
Currently, a CVSS score is N/A. However, given the nature of the vulnerability (Remote Code Execution), a high or critical CVSS score is anticipated. Factors contributing to a potentially high score include:
- Attack Vector: Network
- Attack Complexity: Low (due to publicly available exploits)
- Privileges Required: None (unauthenticated exploitation possible in some configurations)
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
A CVSS score will likely be assigned as more analysis is completed and published by security researchers and vulnerability databases.
Possible Impact
Successful exploitation of CVE-2025-51742 can have severe consequences, including:
- Complete System Compromise: An attacker gains full control of the server hosting the JSH_ERP application.
- Data Breach: Sensitive data stored within the ERP system can be accessed, modified, or exfiltrated.
- Denial of Service (DoS): The application can be rendered unavailable by malicious code execution, leading to significant business disruption.
- Supply Chain Attacks: If the ERP system integrates with other systems, the compromise can spread to connected networks and partners.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-51742, the following steps are recommended:
- Apply the Patch: Upgrade JSH_ERP to a patched version that addresses the vulnerability. Contact the vendor, jishenghua, for the latest updates and security advisories. Monitor their Gitee repository for updates: https://gitee.com/jishenghua/JSH_ERP
- Input Validation: Implement strict input validation and sanitization on the
searchparameter of the/material/getMaterialEnableSerialNumberListendpoint. Prevent the direct passing of user input toparseObject(). - Fastjson Version Control: Upgrade the Fastjson library to the latest stable version, which includes security fixes and mitigations against deserialization vulnerabilities. Consider using Fastjson’s safemode.
- Web Application Firewall (WAF): Deploy a WAF to filter malicious requests and block common Fastjson exploitation attempts.
- Network Segmentation: Isolate the JSH_ERP server from other critical systems to limit the potential impact of a successful attack.
- Monitor logs: Continuously monitor application logs for suspicious activity, especially related to JDBC connections and Fastjson deserialization attempts.
References
- Blog Post: https://blog.hackpax.top/jsh-erp/
- Gist Exploit: https://gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108
- JSH_ERP Gitee: https://gitee.com/jishenghua
- JSH_ERP Project Gitee: https://gitee.com/jishenghua/JSH_ERP
