CVE-2025-51745

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-51745
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://blog.hackpax.top/jsh-erp4/ Broken Link
https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 Third Party Advisory
https://gitee.com/jishenghua Product
https://gitee.com/jishenghua/JSH_ERP Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:jishenghua:jsherp:*:*:*:*:*:*:*:*
History

02 Dec 2025, 14:56

Type Values Removed Values Added
References () https://blog.hackpax.top/jsh-erp4/ - () https://blog.hackpax.top/jsh-erp4/ - Broken Link
References () https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 - () https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 - Third Party Advisory
References () https://gitee.com/jishenghua - () https://gitee.com/jishenghua - Product
References () https://gitee.com/jishenghua/JSH_ERP - () https://gitee.com/jishenghua/JSH_ERP - Product
First Time Jishenghua jsherp
Jishenghua
CPE cpe:2.3:a:jishenghua:jsherp:*:*:*:*:*:*:*:*

26 Nov 2025, 15:15

Type Values Removed Values Added
CWE CWE-502
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

25 Nov 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-11-25 21:15

Updated : 2025-12-02 14:56

NVD link : CVE-2025-51745

Mitre link : CVE-2025-51745

CVE.ORG link : CVE-2025-51745

JSON object : View

Products Affected

jishenghua

  • jsherp
CWE
CWE-502

Deserialization of Untrusted Data