CVE-2025-51742

Published: Nov 25, 2025Modified: Dec 2, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.

Affected (1)

Products: Jishenghua: Jsherp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jishenghua Jsherp	Up to 2.3.1

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

https://blog.hackpax.top/jsh-erp/

Source: cve@mitre.org

Broken Link

https://gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108

Source: cve@mitre.org

Third Party Advisory

https://gitee.com/jishenghua

Source: cve@mitre.org

Product

https://gitee.com/jishenghua/JSH_ERP

Source: cve@mitre.org

Product

Timeline

No history available yet.