CVE-2020-35491
Description
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FasterXML jackson-databind before 2.9.10.8 mishandles interaction between serialization gadgets and typing via commons-dbcp2 SharedPoolDataSource.
Vulnerability
Overview
CVE-2020-35491 is a deserialization vulnerability in FasterXML jackson-databind versions 2.x prior to 2.9.10.8. The flaw arises from improper handling of the interaction between serialization gadgets and the Default Typing feature, specifically involving the org.apache.commons.dbcp2.datasources.SharedPoolDataSource class. This class acts as a gadget that can be leveraged during deserialization, allowing an attacker to execute arbitrary code if certain conditions are met [1][2].
Attack
Vector and Prerequisites
Exploitation requires that Jackson's default typing is enabled (e.g., via @JsonTypeInfo or ObjectMapper.enableDefaultTyping()) and that the classpath contains the vulnerable commons-dbcp2 library. An attacker can craft a malicious JSON payload that, when deserialized, triggers the gadget chain. The vulnerability is a type confusion issue where the SharedPoolDataSource class can be used to invoke dangerous operations, such as JNDI lookups, leading to remote code execution [3][4].
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution in the context of the application. This could lead to full system compromise, data exfiltration, or lateral movement within the network. The vulnerability is considered critical (CVSS base score 9.8) due to the low complexity, no authentication requirements, and potential for high impact on confidentiality, integrity, and availability [2].
Mitigation
The vulnerability is fixed in jackson-databind version 2.9.10.8, which adds the SharedPoolDataSource class to the blacklist of known gadget types [4]. Users should upgrade to this version or later. If upgrading is not immediately possible, disabling default typing or restricting the classpath to exclude commons-dbcp2 can mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 |
Affected products
1Patches
141b8bdb5ccc1Fixed #2986
2 files changed · +9 −0
release-notes/VERSION-2.x+5 −0 modified@@ -4,6 +4,11 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ +2.9.10.8 (not yet released) + +#2986: Block two more gadget types + (reported by Al1ex@knownsec) + 2.9.10.7 (02-Dec-2020) #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java+4 −0 modified@@ -207,6 +207,10 @@ public class SubTypeValidator s.add("com.nqadmin.rowset.JdbcRowSetImpl"); s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl"); + // [databind#2986]: dbcp2 + s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- github.com/advisories/GHSA-r3gr-cxrf-hg25ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35491ghsaADVISORY
- cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062ghsax_refsource_MISCWEB
- github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249dghsaWEB
- github.com/FasterXML/jackson-databind/issues/2986ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00025.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20210122-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210122-0005/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.