Impact
Deserialization of JSON containing an InetSocketAddress field causes the Jackson library to create a new InetSocketAddress with eager DNS name resolution at parse time. The lookup occurs before any application‑level validation or explicit network connection logic, allowing an attacker to force the host to resolve arbitrary domain names. The impact is typical SSRF: internal or external network reconnaissance and unwanted outbound connections. The weakness is identified as CWE‑502.
Affected Systems
The vulnerability affects FasterXML jackson‑databind releases from version 2.0.0 up to but excluding 2.18.8, 2.21.4, and 3.1.4. All earlier releases contain the flaw where InetSocketAddress is instantiated with new InetSocketAddress(host, port), and 3.1.4 and later fix the issue by deferring DNS resolution until a later connect call.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. The EPSS score of < 1% signals a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at the time. An attacker can exploit the flaw by supplying crafted JSON to any component that deserializes untrusted deserialization for InetSocketAddress. to accept external JSON and invoke the standard deserializer, after which unsolicited DNS queries or connections will be triggered.
OpenCVE Enrichment
Github GHSA