Threat Advisory

Jackson-databind Vulnerability Bypasses Polymorphic Type Validator Allowlist

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in jackson-databind, the data-binding component of the Jackson JSON processor, affecting versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3. The flaws enable bypasses of the PolymorphicTypeValidator, allowing attackers to instantiate arbitrary classes via crafted generic type identifiers or array subtypes, effectively leading to remote code execution, data tampering, and denial‑of‑service. Business risk includes loss of data confidentiality, integrity, and availability, potential leakage of sensitive information, and disruption of services that rely on trusted JSON deserialization. Organizations that accept untrusted JSON or rely on configured allow‑lists are especially exposed.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in jackson-databind, the data-binding component of the Jackson JSON processor, affecting versions 2.10.0 through 2.18.7, 2.19.0 through 2.21.3, and 3.0.0 through 3.1.3. The flaws enable bypasses of the PolymorphicTypeValidator, allowing attackers to instantiate arbitrary classes via crafted generic type identifiers or array subtypes, effectively leading to remote code execution, data tampering, and denial‑of‑service. Business risk includes loss of data confidentiality, integrity, and availability, potential leakage of sensitive information, and disruption of services that rely on trusted JSON deserialization. Organizations that accept untrusted JSON or rely on configured allow‑lists are especially exposed.[emaillocker id="1283"]

  • CVE-2026-54512 with a CVSS score of 8.1 – A PolymorphicTypeValidator bypass allows an attacker to embed a disallowed class as a generic type argument of an allowed container, leading to arbitrary class instantiation; exploitation requires control of the JSON type identifier and a vulnerable Jackson configuration. No privileges or user interaction are needed.
  • CVE-2026-54513 with a CVSS score of 8.1 – An array subtype allow‑list bypass in BasicPolymorphicTypeValidator permits instantiation of non‑allowlisted element types via array wrappers, enabling gadget execution; the attacker only needs to supply malicious JSON to a deserializer that uses allowIfSubTypeIsArray(). The attack works over the network without authentication.

These vulnerabilities collectively expose applications that rely on Jackson's polymorphic deserialization to remote code execution and data compromise, demanding immediate attention. If exploited, attackers can execute arbitrary code, exfiltrate or corrupt data, and cause service outages, threatening regulatory compliance and customer trust. Prompt risk assessment and mitigation are essential.

RECOMMENDATION:

  • We recommend you to update jackson-databind to version 2.18.8. We recommend you to update jackson-databind to version 2.21.4. We recommend you to update jackson-databind to version 3.1.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-j3rv-43j4-c7qm
https://github.com/advisories/GHSA-rmj7-2vxq-3g9f

[/emaillocker]
crossmenu