Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of JSON containing an InetSocketAddress field causes the Jackson library to create a new InetSocketAddress with eager DNS name resolution at parse time. The lookup occurs before any application‑level validation or explicit network connection logic, allowing an attacker to force the host to resolve arbitrary domain names. The impact is typical SSRF: internal or external network reconnaissance and unwanted outbound connections. The weakness is identified as CWE‑502.

Affected Systems

The vulnerability affects FasterXML jackson‑databind releases from version 2.0.0 up to but excluding 2.18.8, 2.21.4, and 3.1.4. All earlier releases contain the flaw where InetSocketAddress is instantiated with new InetSocketAddress(host, port), and 3.1.4 and later fix the issue by deferring DNS resolution until a later connect call.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of < 1% signals a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time. An attacker can exploit the flaw by supplying crafted JSON to any component that deserializes untrusted deserialization for InetSocketAddress. to accept external JSON and invoke the standard deserializer, after which unsolicited DNS queries or connections will be triggered.

Generated by OpenCVE AI on July 1, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson‑databind to version 2.18.8, 2.21.4, 3.1.4 or DNS resolution until an explicit connect call
  • Restrict or reject deserialization of InetSocketAddress fields from untrusted input, for example by disabling the default deserializer or using a custom deserializer that validates hostnames before resolving
  • default deserialization call with a custom implementation that uses InetSocketAddress.createUnresolved(host,port) to delay DNS resolution until a controlled connect operation

Generated by OpenCVE AI on July 1, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Title jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T12:59:39.055Z

Reserved: 2026-06-15T18:01:15.514Z

Link: CVE-2026-54514

cve-icon Vulnrichment

Updated: 2026-06-25T12:59:35.285Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T20:51:50Z

Links: CVE-2026-54514 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-918

    Server-Side Request Forgery (SSRF)