Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of JSON that contains an InetSocketAddress field triggers an eager DNS lookup when the default JDKFromStringDeserializer constructs the address with new InetSocketAddress(host,port). This occurs before any application‑level validation or network connect logic, allowing an attacker to force the application to resolve arbitrary hostnames at deserialization time. The primary consequence is the ability to perform internal network reconnaissance or create outbound connections, which is a classic SSRF risk, without granting full code execution or privilege escalation.

Affected Systems

The vulnerability affects the FasterXML jackson‑databind library in versions from 2.0.0 up to but not including 2.18.8, 2.21.4, and 3.1.4. These releases contain the bug where InetSocketAddress is created with eager DNS resolution during deserialization. Versions starting at 2.18.8, 2.21.4, and 3.1.4 and later have been fixed to defer DNS resolution until an explicit connect call.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploits at this time. An attacker can exploit this flaw by providing crafted JSON to any component that deserializes untrusted input into the affected library, resulting in unsolicited DNS queries or connections. Exploitation requires that the application accepts untrusted JSON and uses the default deserialization mechanism for InetSocketAddress objects.

Generated by OpenCVE AI on June 24, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson‑databind to 2.18.8, 2.21.4, 3.1.4 or later, which defer DNS resolution until an explicit connect
  • Block or remove deserialization of InetSocketAddress fields from untrusted input, using custom deserializers or input validation to prevent premature DNS lookup
  • If updating is not immediately possible, replace the deserialization call with a custom implementation that uses InetSocketAddress.createUnresolved(host,port) to delay DNS resolution until a controlled connect operation

Generated by OpenCVE AI on June 24, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
Title jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:52:38.568Z

Reserved: 2026-06-15T18:01:15.514Z

Link: CVE-2026-54514

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T03:30:05Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)