Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AV:N because attacker delivers JSON over the network; PR:N at the library layer; I:L for unauthorized writes to view-restricted fields; C:N because deserialization itself does not expose data to the attacker.
Primary rating from Vendor (https://github.com/FasterXML/jackson-databind).
CVSS VectorVendor: https://github.com/FasterXML/jackson-databind
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 5,171 maven packages depend on com.fasterxml.jackson.core:jackson-databind (1,703 direct, 3,524 indirect)
- 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)
Ecosystem-wide dependent count for version 2.21.0 and other introduced versions.
DescriptionCVE.org
Summary
UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active.
Impact
View-restricted unwrapped creator parameters can be set from untrusted input where @JsonView is used as a write-side authorization boundary.
Affected / Patched (verified via git tag --contains)
- 2.21 line:
>= 2.21.0, < 2.21.4-> fixed in 2.21.4 (backport721fa07, #5973) - 3.x line:
>= 3.0.0, < 3.1.4-> fixed in 3.1.4 (#5971,d633bc0)
Severity / CWE
Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
AnalysisAI
Jackson-databind's @JsonView authorization boundary is bypassed for constructor parameters that combine @JsonUnwrapped and @JsonView annotations, affecting versions 2.21.0-2.21.3 and 3.0.0-3.1.3. The deserialization code path in UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without calling prop.visibleInView(activeView), while the standard property path correctly enforces this check. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all three of the following conditions simultaneously: (1) the application uses `@JsonView` as a write-side (deserialization) authorization boundary, not merely for serialization output shaping - this is a non-default, application-specific design choice; (2) a deserialized Java class has a `@JsonCreator`-annotated constructor where at least one parameter is annotated with BOTH `@JsonView` and `@JsonUnwrapped`; (3) the application deserializes attacker-controlled JSON via `ObjectMapper.readerWithView()` activating a view that is less privileged than the view annotating the vulnerable constructor parameter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) is technically defensible at the library level but overstates real-world risk for most deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted HTTP POST body - for example `{"name":"alice","street":"1 Main St"}` - to a public API endpoint that deserializes the payload using `ObjectMapper.readerWithView(PublicView.class)`. Because the target class has a `@JsonCreator` constructor parameter annotated with both `@JsonView(AdminView.class)` and `@JsonUnwrapped`, the `UnwrappedPropertyHandler` replay path populates the admin-restricted `address` field from the attacker's input despite the PublicView context. … |
| Remediation | Upgrade jackson-databind to 2.21.4 or later on the 2.21.x line, or to 3.1.4 or later on the 3.x line; these versions are confirmed fixed per git tag evidence cited in the GitHub advisory (GHSA-rcqc-6cw3-h962). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38629
GHSA-rcqc-6cw3-h962