Maven package
com.fasterxml.jackson.core/jackson-databind
pkg:maven/com.fasterxml.jackson.core/jackson-databind
Vulnerabilities (76)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54517 | med | — | >= 2.21.0, < 2.21.4 | 2.21.4 | Jun 23, 2026 | ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging() | |
| CVE-2026-54516 | med | — | >= 2.21.0, < 2.21.4 | 2.21.4 | Jun 23, 2026 | ## Summary `POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field is | |
| CVE-2026-54515 | med | — | >= 3.1.0, < 3.1.4 | 3.1.4 | Jun 23, 2026 | ## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property case-i | |
| CVE-2026-54514 | med | — | >= 2.0.0, < 2.18.8 | 2.18.8 | Jun 23, 2026 | ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd | |
| CVE-2026-54513 | hig | — | >= 2.10.0, < 2.18.8 | 2.18.8 | Jun 23, 2026 | ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli | |
| CVE-2026-54512 | hig | — | >= 2.10.0, < 2.18.8 | 2.18.8 | Jun 23, 2026 | `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal | |
| CVE-2026-50193 | med | — | >= 2.10.0, < 2.14.0 | 2.14.0 | Jun 23, 2026 | ### Impact Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service: 1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()` which can consume si | |
| CVE-2026-54518 | med | — | >= 2.21.0, < 2.21.4 | 2.21.4 | Jun 23, 2026 | ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea | |
| CVE-2021-46877 | — | >= 2.10.0, < 2.12.6 | 2.12.6 | Mar 18, 2023 | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | ||
| CVE-2020-10650 | — | < 2.9.10.4 | 2.9.10.4 | Dec 26, 2022 | A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and | ||
| CVE-2022-42003 | — | >= 2.4.0-rc1, < 2.12.7.1 | 2.12.7.1 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||
| CVE-2020-36518 | — | >= 2.13.0, < 2.13.2.1 | 2.13.2.1 | Mar 11, 2022 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | ||
| CVE-2021-20190 | — | >= 2.7.0, < 2.9.10.7 | 2.9.10.7 | Jan 19, 2021 | A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||
| CVE-2020-36183 | Hig | 8.1 | >= 2.7.00, < 2.9.10.8 | 2.9.10.8 | Jan 7, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. | |
| CVE-2020-36179 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36180 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36182 | — | >= 2.7.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36184 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | ||
| CVE-2020-36185 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | ||
| CVE-2020-36186 | — | >= 2.0.0, < 2.9.10.8 | 2.9.10.8 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. |
- affected >= 2.21.0, < 2.21.4fixed 2.21.4
## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()
- affected >= 2.21.0, < 2.21.4fixed 2.21.4
## Summary `POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field is
- affected >= 3.1.0, < 3.1.4fixed 3.1.4
## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property case-i
- affected >= 2.0.0, < 2.18.8fixed 2.18.8
## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd
- affected >= 2.10.0, < 2.18.8fixed 2.18.8
## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli
- affected >= 2.10.0, < 2.18.8fixed 2.18.8
`jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal
- affected >= 2.10.0, < 2.14.0fixed 2.14.0
### Impact Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service: 1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()` which can consume si
- affected >= 2.21.0, < 2.21.4fixed 2.21.4
## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea
- CVE-2021-46877Mar 18, 2023affected >= 2.10.0, < 2.12.6fixed 2.12.6
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
- CVE-2020-10650Dec 26, 2022affected < 2.9.10.4fixed 2.9.10.4
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and
- CVE-2022-42003Oct 2, 2022affected >= 2.4.0-rc1, < 2.12.7.1fixed 2.12.7.1
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2020-36518Mar 11, 2022affected >= 2.13.0, < 2.13.2.1fixed 2.13.2.1
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- CVE-2021-20190Jan 19, 2021affected >= 2.7.0, < 2.9.10.7fixed 2.9.10.7
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- affected >= 2.7.00, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
- CVE-2020-36179Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36180Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36182Jan 6, 2021affected >= 2.7.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36184Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
- CVE-2020-36185Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
- CVE-2020-36186Jan 6, 2021affected >= 2.0.0, < 2.9.10.8fixed 2.9.10.8
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
Page 1 of 4