CVE-2026-54514
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.
A server-side request forgery vulnerability (CVE-2026-54514) has been identified in jackson-databind, which allows attackers to force the server to perform an outbound DNS lookup for an attacker-chosen hostname during deserialization. When JSON is bound into a type that contains an InetSocketAddress, the deserializer constructs the address with eager name resolution, so an attacker-controlled hostname is resolved before any application-level validation runs.
Per OWASP: In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources.
This issue affects versions >=2.10.0 <2.18.8, >=2.19.0 <2.21.4, and >=3.0.0 <3.1.4 of jackson-databind.
Details
Module Info
- Product: jackson-databind
- Affected packages: jackson-databind
- Affected versions: >=2.0.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
- GitHub repository: https://github.com/FasterXML/jackson-databind
- Published packages:
- Package manager: Maven
- Fixed in:
- NES for Jackson 2.13.6, 2.14.4, and 2.15.5
- Jackson Databind 2.18.8, 2.21.4, 3.1.4 (OSS)
Vulnerability Info
This Medium-severity vulnerability is found in the jackson-databind package. The string-like type deserializer FromStringDeserializer.Std binds a JSON string into an InetSocketAddress by calling the standard JDK constructor, which performs eager DNS resolution of the supplied hostname. Because this happens at readValue time, an application that deserializes attacker-controlled JSON into any type containing an InetSocketAddress field triggers an outbound DNS query for the attacker's chosen name before the application can inspect or reject the value. No polymorphic typing, default typing, or gadget chain is required; this is plain data binding of a standard JDK type.
The InetSocketAddress.class branch of FromStringDeserializer.Std._deserialize constructs the address directly, eagerly resolving the host in each case:
return new InetSocketAddress(value.substring(0, i + 1), port); // bracketed IPv6 + port
return new InetSocketAddress(value.substring(0, ix), port); // host:port
return new InetSocketAddress(value, 0); // host / unbracketed IPv6
The JDK InetSocketAddress(String, int) constructor attempts to resolve the hostname to an InetAddress at construction time, so the lookup is performed as a side effect of deserialization. The impact is limited to forcing a DNS resolution for an attacker-chosen hostname, which can be used for out-of-band interaction or to probe internal name resolvers.
Steps to Reproduce
- Configure an application that deserializes untrusted JSON into a type containing an InetSocketAddress, for example by calling objectMapper.readValue(json, InetSocketAddress.class).
- Submit a JSON string whose host component is an attacker-controlled name pointing at an out-of-band collector, for example "attacker.example.com:9999".
- Observe that an outbound DNS lookup for attacker.example.com is issued at deserialization time, before any application-level validation of the value.
Mitigation
Only recent versions of jackson-databind are community-supported. The affected 2.13.x, 2.14.x, and 2.15.x lines are End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for these lines; NES for Jackson is the remedy.
Users of the affected components should apply one of the following mitigations:
- Upgrade jackson-databind to a currently supported 2.x or 3.x release that contains the fix.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Omkhar Arasaratnam (finder)
