CVE-2020-10969
Description
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, allowing remote code execution via javax.swing.JEditorPane.
Vulnerability
Overview
CVE-2020-10969 is a deserialization vulnerability in FasterXML jackson-databind 2.x prior to version 2.9.10.4. The issue arises from the library's improper handling of the interaction between serialization gadgets and type validation, specifically related to the javax.swing.JEditorPane class. This class is a known "gadget" that can be abused when default typing is enabled, allowing an attacker to craft a malicious payload that triggers arbitrary code execution upon deserialization [1][2][3].
Attack
Vector
The exploit requires that the application using jackson-databind has enabled default typing (e.g., ObjectMapper.enableDefaultTyping()) and that the attacker can supply a serialized JSON payload to the deserialization endpoint. No authentication is needed if the endpoint is publicly accessible. The attacker crafts a JSON object that leverages the javax.swing.JEditorPane gadget chain, which, when deserialized, can lead to the execution of arbitrary commands on the server or client [2][3].
Impact
Successful exploitation can lead to remote code execution in the context of the application, potentially allowing the attacker to take full control of the affected system, exfiltrate data, or perform other malicious activities. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (Critical), indicating the highest severity due to the network attack vector, low complexity, and no required privileges [2].
Mitigation
The fix was implemented in jackson-databind version 2.9.10.4 by adding javax.swing.JEditorPane to the blocklist of dangerous classes in the SubTypeValidator [4]. Users are strongly advised to upgrade to this or a later version. For those unable to upgrade, disabling default typing or applying a custom deserialization safety checker can serve as a workaround [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.9.0, < 2.9.10.4 | 2.9.10.4 |
Affected products
4- FasterXML/jackson-databinddescription
- osv-coords3 versionspkg:apk/chainguard/hivepkg:apk/chainguard/hive-compatpkg:maven/com.fasterxml.jackson.core/jackson-databind
< 4.0.1-r1+ 2 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: >= 2.9.0, < 2.9.10.4
Patches
12 files changed · +7 −2
release-notes/VERSION+4 −2 modified@@ -6,10 +6,12 @@ Project: jackson-databind 2.7.9.7 (not yet released) -#2631: Block one more gadget type (shaded-hikari-config, CVE-to-be-allocated) +#2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546) (reported by threedr3am & LFY) -#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated) +#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548) (reported by threedr3am & V1ZkRA) +#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated) + (reported by threedr3am) #2410: Block one more gadget type (HikariCP, CVE-2019-14540) #2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet) #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+3 −0 modified@@ -133,6 +133,9 @@ public class SubTypeValidator s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig"); s.add("br.com.anteros.dbcp.AnterosDBCPConfig"); + // [databind#2642]: javax.swing (jdk) + s.add("javax.swing.JEditorPane"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-758m-v56v-grj4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10969ghsaADVISORY
- github.com/FasterXML/jackson-databind/commit/6ba48457984943df0de92c54144f7dcae01b1221ghsaWEB
- github.com/FasterXML/jackson-databind/issues/2642ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2020/04/msg00012.htmlghsamailing-listx_refsource_MLISTWEB
- medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062mitrex_refsource_MISC
- medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsaWEB
- security.netapp.com/advisory/ntap-20200403-0002ghsaWEB
- security.netapp.com/advisory/ntap-20200403-0002/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.