Skip to content

Update dependency com.fasterxml.jackson.core:jackson-databind to v2.18.8 [SECURITY]#251

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability
Open

Update dependency com.fasterxml.jackson.core:jackson-databind to v2.18.8 [SECURITY]#251
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 18, 2023

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.13.02.18.8 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Uncontrolled Resource Consumption in FasterXML jackson-databind

CVE-2022-42004 / GHSA-rgv9-q543-rqg4

More information

Details

In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the UNWRAP_SINGLE_VALUE_ARRAYS feature is explicitly enabled.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode

CVE-2021-46877 / GHSA-3x8x-79m2-3w2w

More information

Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Uncontrolled Resource Consumption in Jackson-databind

CVE-2022-42003 / GHSA-jjjh-jjxp-wpff

More information

Details

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.

Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.

The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Deeply nested json in jackson-databind

CVE-2020-36518 / GHSA-57j2-w4cx-62h2

More information

Details

jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

CVE-2026-50193 / GHSA-3wrr-7qpf-2prh

More information

Details

Impact

Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:

  1. Reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree())
  2. Writes out same (or modifided) node using JsonNode.toString()

which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).

Patches

Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.

Workarounds

Avoid serializing JsonNode using toString(): use ObjectMapper.writeValueAsString(node)

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation

CVE-2026-54512 / GHSA-j3rv-43j4-c7qm

More information

Details

jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV.

If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization.

An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList<com.evil.Gadget> when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.

This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry.

Impact
  • Bypass of the PTV allow-list, including the recommended BasicPolymorphicTypeValidator configured with name-prefix allow rules.
  • Arbitrary class instantiation of any type assignable to the container's element/parameter position, with attacker-controlled property values (setter/field injection).
  • Potential unauthenticated remote code execution when a class with exploitable side effects (JNDI lookup, JDBC/connection-pool gadgets,TemplatesImpl-style loaders, etc.) is present on the classpath.

Applications that accept untrusted JSON and rely on a configured PTV — the documented, security-conscious configuration — are affected.

Proof of Concept

Configuration restricting polymorphic deserialization to a single safe container:

BasicPolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()
        .allowIfSubType("java.util.ArrayList")
        .build();

ObjectMapper mapper = JsonMapper.builder()
        .polymorphicTypeValidator(ptv)
        .build();

Malicious payload (Wrapper.value is Object with @JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY)):

{"value":["java.util.ArrayList<com.evil.EvilGadget>",[{"cmd":"calc.exe"}]]}

On vulnerable versions, com.evil.EvilGadget is instantiated and its cmd property is set, despite only java.util.ArrayList being allow-listed. On 2.18.8 / 2.21.4 / 3.1.4 the deserialization throws InvalidTypeIdException before instantiation.

Variant payloads (all bypass an ArrayList/HashMap allow-list):

Type ID Smuggled type position
java.util.ArrayList<Evil> list element
java.util.HashMap<Evil,String> map key
java.util.HashMap<String,Evil> map value
java.util.ArrayList<java.util.ArrayList<Evil>> nested element
java.util.ArrayList<Evil[]> array element

Patches

Fixed in 2.18.8, 2.21.4 and 3.1.4 via the changes for FasterXML/jackson-databind#5988, commit 434d6c511. The fix adds recursive validation of each non-trivial type parameter (and array element types appearing as parameters) through the full PTV chain, with documented exemptions for Object (wildcard resolution) and Enum types.

PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)

CVE-2026-54513 / GHSA-rmj7-2vxq-3g9f

More information

Details

Summary

BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.

Impact

Applications using BasicPolymorphicTypeValidator with allowIfSubTypeIsArray() as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.

Affected / Patched (verified via git tag --contains)
  • 2.18 line: >= 2.10.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.

Severity / CWE

Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.

Upstream fix

FasterXML/jackson-databind#5981; fix PR #​5983 (24529da), 2.18 backport PR #​5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

CVE-2026-54514 / GHSA-hgj6-7826-r7m5

More information

Details

Summary

JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.

Impact

An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.

Affected / Patched (verified via git tag --contains on 1f5a103)
  • 2.18 line: >= 2.18.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4
Severity / CWE

Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).

Upstream fix

FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@​omkhar) - finder.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.1 [security] Mar 30, 2023
@renovate
renovate Bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch from 57691bc to 33a0931 Compare March 30, 2023 01:33
@renovate renovate Bot changed the title fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.1 [security] fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] Mar 31, 2023
@renovate
renovate Bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch from 33a0931 to becc1ad Compare March 31, 2023 15:17
@qlty-cloud-legacy

Copy link
Copy Markdown

Code Climate has analyzed commit becc1ad and detected 0 issues on this pull request.

View more on Code Climate.

@renovate renovate Bot changed the title fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate
renovate Bot deleted the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch March 27, 2026 01:40
@renovate renovate Bot changed the title fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] - autoclosed fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate
renovate Bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch 2 times, most recently from becc1ad to 8620b1a Compare March 30, 2026 21:50
@renovate renovate Bot changed the title fix(deps): update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security] Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY] Apr 8, 2026
@renovate renovate Bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY] Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY] - autoclosed Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate
renovate Bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch 2 times, most recently from 8620b1a to 0b02e5a Compare April 27, 2026 23:28
@renovate
renovate Bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch from 0b02e5a to 18ad0a1 Compare July 4, 2026 03:04
@renovate renovate Bot changed the title Update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [SECURITY] Update dependency com.fasterxml.jackson.core:jackson-databind to v2.18.8 [SECURITY] Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants