Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AC:H because exploitation requires three concurrent non-default application conditions: @JsonCreator constructor, setterless collection/map with @JsonView restriction, and view used as a security boundary.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 5,171 maven packages depend on com.fasterxml.jackson.core:jackson-databind (1,703 direct, 3,524 indirect)
- 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)
Ecosystem-wide dependent count for version 2.21.0 and other introduced versions.
DescriptionCVE.org
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4.
AnalysisAI
@JsonView access-control bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows remote attackers to write values into setterless Collection/Map properties that are restricted by a @JsonView annotation, defeating view-based mass-assignment protection during deserialization. The regression was introduced when SetterlessProperty.isMerging() was changed to return true, routing these properties through an unguarded buffering branch in BeanDeserializer._deserializeUsingPropertyBased that lacked the prop.visibleInView(activeView) check applied to creator properties. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three simultaneous application-level conditions: (1) the target class uses a @JsonCreator constructor, which activates the property-based deserialization path in BeanDeserializer._deserializeUsingPropertyBased; (2) the class contains at least one setterless Collection or Map property - a field with no setter, only a getter returning a mutable collection - annotated with a @JsonView that restricts it to a more-privileged view (e.g., AdminView); and (3) the application invokes the ObjectMapper with a less-privileged active view (e.g., readerWithView(PublicView.class)) and relies on that view filter to prevent the restricted field from being written. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 rates this 5.3 Medium with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, but the AC:L rating warrants scrutiny: exploitation requires the simultaneous presence of a @JsonCreator constructor, at least one setterless Collection/Map property, and application reliance on @JsonView for security enforcement - a specific combination that is common in layered REST APIs but not universal. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a REST endpoint that deserializes client-supplied JSON into a class with a @JsonCreator constructor, where a roles or permissions field is a setterless List annotated @JsonView(AdminView.class) and the endpoint operates under PublicView. By submitting JSON containing "roles":["admin"] - particularly placing it before the creator property to force the buffering path - the attacker's value is written into the roles collection despite the PublicView restriction, achieving unauthorized privilege escalation within the deserialized object. … |
| Remediation | Upgrade jackson-databind to version 2.21.4 (for 2.21.x users) or 3.1.4 (for 3.x users); both are confirmed patched releases per GHSA advisory GHSA-5hh8-q8hv-fr38 at https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5hh8-q8hv-fr38. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jackson Databind
View allFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38589
GHSA-5hh8-q8hv-fr38