jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
Description
Summary
JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.
Impact
An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.
## Affected / Patched (verified via git tag --contains on 1f5a103) - 2.18 line: >= 2.18.0, < 2.18.8 -> fixed in 2.18.8 - 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4 - 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4
## Severity / CWE Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).
Upstream fix
FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.0.0, < 2.18.8 | 2.18.8 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.19.0, < 2.21.4 | 2.21.4 |
com.fasterxml.jackson.core:jackson-databindMaven | >= 3.0.0, < 3.1.4 | 3.1.4 |
tools.jackson.core:jackson-databindMaven | >= 2.19.0, < 2.21.4 | 2.21.4 |
tools.jackson.core:jackson-databindMaven | >= 3.0.0, < 3.1.4 | 3.1.4 |
Affected products
3- Range: >= 2.18.0, < 2.18.8 || >= 2.19.0, < 2.21.4 || >= 3.0.0, < 3.1.4
- ghsa-coords2 versions
>= 2.0.0, < 2.18.8+ 1 more
- (no CPE)range: >= 2.0.0, < 2.18.8
- (no CPE)range: >= 2.19.0, < 2.21.4
Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.