Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable via JSON endpoint, no privileges required, limited integrity impact only; no confidentiality or availability consequence per advisory.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 5,171 maven packages depend on com.fasterxml.jackson.core:jackson-databind (1,703 direct, 3,524 indirect)
- 358 maven packages depend on tools.jackson.core:jackson-databind (101 direct, 257 indirect)
Ecosystem-wide dependent count for version 2.21.0 and other introduced versions.
DescriptionCVE.org
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.
AnalysisAI
Integrity bypass in jackson-databind 2.21.0-2.21.3 and 3.0.0-3.1.3 allows unauthenticated network attackers to write to private backing fields that application developers intended as read-only. The flaw occurs when a POJO uses @JsonProperty on a getter with @JsonIgnore on the setter - a common read-only-over-the-wire pattern - and MapperFeature.INFER_PROPERTY_MUTATORS is enabled (the default). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) The target application uses jackson-databind 2.21.0-2.21.3 or 3.0.0-3.1.3 to deserialize user-controlled JSON input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, score 5.3 Medium) accurately reflects the network-reachable, zero-privilege nature of the attack surface but is contingent on an application-level prerequisite: the target POJO must use the specific @JsonProperty-on-getter plus @JsonIgnore-on-setter annotation combination. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a Java application with a REST endpoint that deserializes user-supplied JSON into a POJO - where that POJO uses @JsonProperty('renamedProp') on a getter and @JsonIgnore on the setter to expose a field as serialization-only - submits a crafted POST body containing the key 'renamedProp' with an attacker-chosen value. Jackson's _renameProperties() retains the private backing field as writable, causing BeanDeserializerFactory to build a FieldProperty and write the attacker's value directly into the private field, bypassing the developer's intended read-only enforcement. … |
| Remediation | Upgrade jackson-databind to 2.21.4 (for the 2.21.x line) or 3.1.4 (for the 3.x line), as confirmed by GHSA-9fxm-vc8v-hj55 and the upstream commit history (commits c3d56dd and e88cb17). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jackson Databind
View allFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
Same technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38590
GHSA-9fxm-vc8v-hj55