CVE-2020-35490
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FasterXML jackson-databind before 2.9.10.8 mishandles serialization gadgets with typing, allowing remote code execution via PerUserPoolDataSource from commons-dbcp2.
Vulnerability
Overview
CVE-2020-35490 is a vulnerability in FasterXML jackson-databind versions 2.x before 2.9.10.8. The issue arises from improper handling of the interaction between serialization gadgets and the default typing mechanism. Specifically, the PerUserPoolDataSource class from the Apache Commons DBCP2 library is not blocked by default, enabling exploitation when default typing is enabled [1][2]. The root cause is an incomplete deny list for dangerous gadget classes in the SubTypeValidator class [4].
Exploitation
Exploitation requires that Jackson's default typing is enabled and that an attacker can supply malicious serialized data to a vulnerable application. The attack does not require authentication if the application deserializes untrusted input over a network. The attacker crafts a JSON payload that triggers instantiation of the gadget class, leading to arbitrary code execution [2][3]. The commons-dbcp2 library must be present on the classpath for exploitation to succeed [3].
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution in the context of the application. This can lead to complete compromise of confidentiality, integrity, and availability of the affected system [2]. The vulnerability is similar to other Jackson deserialization issues that leverage gadget chains in common Java libraries.
Mitigation
The vulnerability is fixed in jackson-databind version 2.9.10.8, released on December 2020, which adds PerUserPoolDataSource and SharedPoolDataSource to the list of blocked gadget types [4]. Users are advised to upgrade immediately. If upgrading is not possible, disabling default typing is an effective workaround, though it may impact application functionality [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of analysis.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 |
Affected products
1Patches
141b8bdb5ccc1Fixed #2986
2 files changed · +9 −0
release-notes/VERSION-2.x+5 −0 modified@@ -4,6 +4,11 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ +2.9.10.8 (not yet released) + +#2986: Block two more gadget types + (reported by Al1ex@knownsec) + 2.9.10.7 (02-Dec-2020) #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+4 −0 modified@@ -207,6 +207,10 @@ public class SubTypeValidator s.add("com.nqadmin.rowset.JdbcRowSetImpl"); s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl"); + // [databind#2986]: dbcp2 + s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-wh8g-3j2c-rqj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35490ghsaADVISORY
- cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
- github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249dghsaWEB
- github.com/FasterXML/jackson-databind/issues/2986ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20210122-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210122-0005/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.