Primary

Context

ktg-mes Fastjson Deserialization Vulnerability

Vulnerability

A deserialization vulnerability in ktg-mes has been identified, stemming from the use of a vulnerable version of fastjson that improperly handles unsafe input data. This issue is present in all commits prior to 2025-10-08.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, send a PUT request to the '/dev-api/tool/gen' endpoint with a payload that includes maliciously crafted JSON data. The 'params' field of the JSON payload should be constructed to exploit the deserialization flaw, such as by referencing an exception type that could lead to code execution. Include an 'Admin-Token' cookie and a Bearer token in the Authorization header to authenticate the request.

Added: Nov 10, 2025, 9:17 PM

Updated: Nov 10, 2025, 9:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.1

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.1

remediation

0.0

relevance

1.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ktg-mes Fastjson Deserialization Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating