CVE-2026-54513
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.
A Remote Code Execution (RCE) vulnerability (CVE-2026-54513) has been identified in jackson-databind's BasicPolymorphicTypeValidator, which allows attackers to bypass a polymorphic-type allowlist and have Jackson instantiate a non-allowlisted class during deserialization. When an application builds its validator with allowIfSubTypeIsArray() alongside an explicit allowlist, an attacker who controls the deserialized JSON can supply an array of a disallowed element type, re-opening the gadget-instantiation path the validator is designed to block and, with a suitable gadget class on the classpath, achieving remote code execution.
Per OWASP: Data which is untrusted cannot be trusted to be well formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.
This issue affects versions >=2.10.0 <2.18.8, >=2.19.0 <2.21.4, and >=3.0.0 <3.1.4 of jackson-databind.
Details
Module Info
- Product: jackson-databind
- Affected packages: jackson-databind
- Affected versions: >=2.10.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
- GitHub repository: https://github.com/FasterXML/jackson-databind
- Published packages:
- Package manager: Maven
- Fixed in:
- NES for Jackson 2.13.6, 2.14.4, and 2.15.5
- Jackson Databind 2.18.8, 2.21.4, 3.1.4 (OSS)
Vulnerability Info
This Critical-severity vulnerability is found in the jackson-databind package. BasicPolymorphicTypeValidator is the validator applications configure to restrict which classes Jackson may instantiate when polymorphic type handling (default typing or @JsonTypeInfo) is enabled. Its builder offers allowIfSubTypeIsArray() so that array sub-types can be permitted, intended to be combined with an explicit allowlist so that only arrays of safe element types are accepted.
The builder method registers a matcher that approves any sub-type whose raw class is an array, with no check on the array's element (component) type:
public Builder allowIfSubTypeIsArray() {
return _appendSubClassMatcher(new TypeMatcher() {
@Override
public boolean match(MapperConfig<?> config, Class<?> clazz) {
return clazz.isArray();
}
});
}
During validation, validateSubType() runs the raw (array) class through the configured sub-class matchers; the array matcher returns a positive result for any array, so the component type is never validated against the allowlist. An attacker who can supply JSON deserialized against such a mapper can therefore present an array of a non-allowlisted type, for example EvilType[], and Jackson will resolve and instantiate the disallowed component type through ordinary bean deserialization with attacker-controlled property values. This is the gadget-instantiation primitive the validator exists to prevent, and with a reachable gadget on the classpath it can lead to remote code execution. Exploitation requires the application to enable polymorphic deserialization and to have configured the validator with allowIfSubTypeIsArray().
Mitigation
Only recent versions of Jackson are community-supported. The affected 2.13.x, 2.14.x and 2.15.x lines are End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for these lines; NES for Jackson is the remedy.
Users of the affected components should apply one of the following mitigations:
- Upgrade jackson-databind to a currently supported 2.x or 3.x release that contains the fix.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Omkhar Arasaratnam (finder)
