changmingxie tcc-transaction Fastjson AutoType REST API Fastjson.parseObject deserialization

Vulnerability

A flaw in changmingxie tcc-transaction up to version 2.1.0 affects the component Fastjson AutoType REST API. The function Fastjson.parseObject is exposed via the REST API, and transaction data serialized with Fastjson is stored in Redis. When the system later deserializes this data during transaction recovery, the AutoType feature is enabled, allowing instantiation of arbitrary classes. This is a classic deserialization issue (CWE-502). All versions up to and including 2.1.0 are affected [1].

Exploitation

An attacker can initiate the attack remotely by writing a crafted JSON payload to Redis. The write path is accessible via the REST API, and in default deployments Redis may be unauthenticated, making the attack straightforward. The attacker supplies a JSON object containing a @type field that points to a malicious class. When Fastjson.parseObject() is called on the stored data, it instantiates the attacker-specified class, leading to arbitrary code execution [1]. No user interaction beyond the initial write is required; the trigger happens automatically during recovery.

Impact

Successful exploitation grants the attacker remote code execution (RCE) on the server hosting tcc-transaction. This can lead to full compromise of confidentiality, integrity, and availability. The attacker gains the privilege level of the application process, which may allow lateral movement within the infrastructure [1].

Mitigation

No official fix has been released by the vendor; they did not respond to disclosure. Mitigations include: disabling AutoType by setting ParserConfig.getGlobalInstance().setAutoTypeSupport(false) and enabling safeMode, using explicit type whitelists instead of AutoType, requiring authentication for Redis connections, and restricting Redis access to only application servers via network segmentation [1]. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at publication time.