Unsafe deserialization in com.alibaba:fastjson
Opened this issue · 7 comments
milvus-sdk-java rely on fastjson. This jar is unsafe to use. Can we upgrate fastjson to other jar, such as jackson or gson?
ok, we will try replace it in the next minor version.
@king1302217
This article mentioned "To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83."
The java sdk is using this version:
Line 96 in 64e42bf
So, can we say it is safe now?
@yhmo Fastjson is forbidden to use in my company. As far as I know, this jar is forbidden in many companies. So it is better to fix it in the next version
@yhmo Our company also prohibits the use of Fastjson, and we have the same requirement. Can you optimize and upgrade it
Currently, the com.alibaba.fastjson.JSONObject is used as input of InsertParam/UpsertParam/InsertRowsParam and output of SearchResultsWrapper/QueryResultsWrapper. If we replace it with gson.JsonObject, will cause lots of impact on users' client code.
Yes, but i think it is very necessary to fix because many companies prohibit the use of Fastjson. So hope we can upgrade in next version. @yhmo
Note:
The work of replacing FastJson with Gson is not ready. Today we released two new minor versions v2.3.7/v2.4.1 to fix some blocking issues.
Replacing FastJson with Gson is postponed to the next minor version.