Update jackson-version [SECURITY]#75
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
d48fde0 to
9a1bec0
Compare
9a1bec0 to
9f64461
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
2.18.0→2.18.82.18.0→2.18.6jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
CVE-2026-54512 / GHSA-j3rv-43j4-c7qm
More information
Details
jackson-databind'sPolymorphicTypeValidator(PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains<),DatabindContext._resolveAndValidateGeneric()validates only the raw container class name (the substring before<) against the configured PTV.If the container type is approved, the method parses the full canonical type string via
TypeFactory.constructFromCanonical()and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization.An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example
java.util.ArrayList<com.evil.Gadget>when onlyjava.util.ArrayListis allow-listed. The container passes the PTV check;com.evil.Gadgetis loaded viaClass.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry.
Impact
BasicPolymorphicTypeValidatorconfigured with name-prefix allow rules.TemplatesImpl-style loaders, etc.) is present on the classpath.Applications that accept untrusted JSON and rely on a configured PTV — the documented, security-conscious configuration — are affected.
Proof of Concept
Configuration restricting polymorphic deserialization to a single safe container:
Malicious payload (
Wrapper.valueisObjectwith@JsonTypeInfo(use = Id.CLASS, include = As.WRAPPER_ARRAY)):{"value":["java.util.ArrayList<com.evil.EvilGadget>",[{"cmd":"calc.exe"}]]}On vulnerable versions,
com.evil.EvilGadgetis instantiated and itscmdproperty is set, despite onlyjava.util.ArrayListbeing allow-listed. On2.18.8/2.21.4/3.1.4the deserialization throwsInvalidTypeIdExceptionbefore instantiation.Variant payloads (all bypass an
ArrayList/HashMapallow-list):java.util.ArrayList<Evil>java.util.HashMap<Evil,String>java.util.HashMap<String,Evil>java.util.ArrayList<java.util.ArrayList<Evil>>java.util.ArrayList<Evil[]>Patches
Fixed in 2.18.8, 2.21.4 and 3.1.4 via the changes for FasterXML/jackson-databind#5988, commit
434d6c511. The fix adds recursive validation of each non-trivial type parameter (and array element types appearing as parameters) through the full PTV chain, with documented exemptions forObject(wildcard resolution) andEnumtypes.PolymorphicTypeValidatorwas added in 2.10.0 so vulnerability N/A for versions prior to that.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
CVE-2026-54513 / GHSA-rmj7-2vxq-3g9f
More information
Details
Summary
BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()allowlists any array type based only onclazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built withallowIfSubTypeIsArray()plus an explicit concrete-type allowlist therefore still permitsEvilType[]even thoughEvilTypeis not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.Impact
Applications using
BasicPolymorphicTypeValidatorwithallowIfSubTypeIsArray()as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.Affected / Patched (verified via
git tag --contains)>= 2.10.0, < 2.18.8-> fixed in 2.18.8>= 2.19.0, < 2.21.4-> fixed in 2.21.4>= 3.0.0, < 3.1.4-> fixed in 3.1.4PolymorphicTypeValidatorwas added in 2.10.0 so vulnerability N/A for versions prior to that.Severity / CWE
Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.
Upstream fix
FasterXML/jackson-databind#5981; fix PR #5983 (
24529da), 2.18 backport PR #5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.Credits
Omkhar Arasaratnam (@omkhar) - finder.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
CVE-2026-54514 / GHSA-hgj6-7826-r7m5
More information
Details
Summary
JDKFromStringDeserializerconstructedInetSocketAddresswithnew InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing anInetSocketAddressfield issues an attacker-chosen DNS query duringreadValue, before any application-level validation or connect logic. The fix usesInetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.Impact
An attacker controlling JSON deserialized into an
InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.Affected / Patched (verified via
git tag --containson1f5a103)>= 2.18.0, < 2.18.8-> fixed in 2.18.8>= 2.19.0, < 2.21.4-> fixed in 2.21.4>= 3.0.0, < 3.1.4-> fixed in 3.1.4Severity / CWE
Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).
Upstream fix
FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
GHSA-72hv-8253-57qq
More information
Details
Summary
The non-blocking (async) JSON parser in
jackson-corebypasses themaxNumberLengthconstraint (default: 1000 characters) defined inStreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.
Details
The root cause is that the async parsing path in
NonBlockingUtf8JsonParserBase(and related classes) does not call the methods responsible for number length validation._finishNumberIntegralPart) accumulate digits into theTextBufferwithout any length checks._valueComplete(), which finalizes the token but does not callresetInt()orresetFloat().resetInt()/resetFloat()methods inParserBaseare where thevalidateIntegerLength()andvalidateFPLength()checks are performed.maxNumberLengthconstraint is never enforced in the async code path.PoC
The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.
Impact
A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause:
TextBufferto store the number's digits, leading to anOutOfMemoryError.getBigIntegerValue()orgetDecimalValue(), the JVM can be tied up in O(n^2)BigIntegerparsing operations, leading to a CPU-based DoS.Suggested Remediation
The async parsing path should be updated to respect the
maxNumberLengthconstraint. The simplest fix appears to ensure that_valueComplete()or a similar method in the async path calls the appropriate validation methods (resetInt()orresetFloat()) already present inParserBase, mirroring the behavior of the synchronous parsers.NOTE: This research was performed in collaboration with rohan-repos
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.