Overview
CVE-2025-51744 describes a critical security vulnerability affecting jishenghua JSH_ERP version 2.3.1. Specifically, the /user/addUser endpoint is susceptible to Fastjson deserialization attacks. This means a malicious actor could potentially inject arbitrary code into the application by crafting a specially designed JSON payload during the user creation process.
Technical Details
The vulnerability stems from the insecure deserialization of user-supplied data via the Fastjson library within the /user/addUser endpoint. Fastjson, when not configured securely, can be tricked into instantiating arbitrary Java classes present on the classpath. An attacker can leverage this to execute malicious code on the server. The attacker would craft a JSON payload containing malicious instructions that, when deserialized by Fastjson, would lead to remote code execution (RCE).
Further details and proof-of-concept (PoC) exploits can be found in the provided references.
CVSS Analysis
Due to the nature of the vulnerability, and its reported status as ‘N/A’ for both Severity and CVSS Score by the official sources at time of publishing, a full CVSS score is not yet available. However, given the potential for Remote Code Execution (RCE), it’s highly likely that once a CVSS score is determined, it would be classified as Critical severity, with a CVSS base score potentially ranging from 9.0 to 10.0. This is due to the unauthenticated remote code execution possibilities. Monitor the official CVE details for updates to the official severity and CVSS score.
Possible Impact
The exploitation of this vulnerability could have severe consequences, including:
- Remote Code Execution (RCE): Attackers could execute arbitrary code on the server hosting the JSH_ERP application, potentially leading to complete system compromise.
- Data Breach: Sensitive data stored within the ERP system could be accessed, modified, or exfiltrated.
- System Downtime: An attacker could disrupt the operation of the ERP system, leading to significant business interruption.
- Financial Loss: Recovery from a successful attack can be costly, involving incident response, system remediation, and potential legal ramifications.
Mitigation or Patch Steps
The most effective mitigation is to update JSH_ERP to a patched version that addresses the Fastjson deserialization vulnerability. Contact the vendor (jishenghua) to obtain the latest version or security patch.
In the absence of an immediate patch, consider the following temporary workarounds:
- Web Application Firewall (WAF): Implement a WAF with rules to detect and block malicious JSON payloads targeting the
/user/addUserendpoint. - Network Segmentation: Isolate the JSH_ERP system from other critical network segments to limit the potential impact of a successful attack.
- Input Validation: Implement strict input validation on the
/user/addUserendpoint to filter out potentially malicious characters and data. (Note: This may be difficult to implement effectively against deserialization exploits). - Disable Fastjson AutoType: If possible, configure Fastjson to disable the
autoTypefeature, which is often a prerequisite for deserialization attacks. Consult the Fastjson documentation for details. This may break existing functionality, so thorough testing is required.
