Overview
CVE-2025-51745 identifies a critical security vulnerability affecting jishenghua JSH_ERP version 2.3.1. This vulnerability stems from the insecure use of Fastjson deserialization in the /role/addcan endpoint, potentially allowing attackers to execute arbitrary code on the server.
Technical Details
The /role/addcan endpoint in JSH_ERP 2.3.1 is susceptible to Fastjson deserialization attacks. Fastjson, a high-performance JSON library, can be exploited when handling untrusted data. If the application deserializes attacker-controlled JSON payloads without proper validation, it can lead to remote code execution (RCE). The specific details of how the payload is crafted and delivered are available in the referenced resources.
Attackers can leverage this flaw to inject malicious code through the vulnerable endpoint. By crafting a specially designed JSON payload, an attacker can trigger the execution of arbitrary commands on the underlying server, compromising the system’s integrity and confidentiality.
CVSS Analysis
Currently, a CVSS score and severity rating are not available for CVE-2025-51745. Given the potential for remote code execution, it is likely that the vulnerability would receive a high to critical CVSS score upon evaluation. Further analysis is needed to determine the exact score.
Possible Impact
Successful exploitation of CVE-2025-51745 can have severe consequences:
- Remote Code Execution (RCE): An attacker can execute arbitrary commands on the server, gaining complete control.
- Data Breach: Sensitive data stored within the JSH_ERP system could be compromised.
- System Takeover: The attacker can potentially take full control of the server and use it for malicious purposes, such as launching attacks on other systems.
- Denial of Service (DoS): The attacker might be able to crash the application or the server, causing a denial of service for legitimate users.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-51745, the following steps are recommended:
- Upgrade JSH_ERP: Upgrade to a patched version of JSH_ERP as soon as one becomes available from jishenghua. Monitor the JSH_ERP repository on Gitee for updates.
- Input Validation: Implement strict input validation on the
/role/addcanendpoint to prevent the deserialization of malicious JSON payloads. Sanitize all user-provided data before processing it. - Disable AutoType: If possible, disable AutoType feature in Fastjson if not required or restrict the allowed classes.
- Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) with rules that can detect and block Fastjson deserialization attacks.
- Monitor System Activity: Monitor system logs for suspicious activity that may indicate an attempted exploitation of this vulnerability.
