CVE-2025-51742 | THREATINT

Description

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.

PUBLISHED Reserved 2025-06-16 | Published 2025-11-25 | Updated 2025-11-26 | Assigner mitre

References

gitee.com/jishenghua/JSH_ERP

blog.hackpax.top/jsh-erp/

gitee.com/jishenghua

gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108

cve.org (CVE-2025-51742)

nvd.nist.gov (CVE-2025-51742)

Download JSON