Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.
Published: 2026-06-23
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug in Jackson DataBind’s property renaming logic allows a JSON payload that names a property with @JsonProperty while the setter is ignored via @JsonIgnore to write directly to the private backing field. This bypasses intended encapsulation and can alter internal state that should remain immutable or read‑only, potentially compromising data integrity or deflecting logic dependent on those values. The underlying weakness is reflected in CWE‑-915, where the framework incorrectly picks the backing field as writeable when a property is renamed during Java Bean analysis.

Affected Systems

The flaw affects FasterXML’s jackson‑databind library in releases from 2.21.0 through 2.21.4 and in older 3.1.x series up to, but not including, 3.1.4. Version 3.1.4 and later contain the fix and should be considered safe.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability poses a moderate risk. The EPSS score is not available, hinting that large‑scale exploitation has not yet been observed, and it is not listed in CISA’s KEV catalog for known exploitation. An attacker can potentially exploit the issue by sending a crafted JSON string to any application that accepts deserialization via Jackson, especially if the payload is constructed to rename a property so that the setter is ignored but the property is still bound to the private field. The default MapperFeature.INFER_PROPERTY_MUTATORS setting is necessary for the flaw to manifest, so applications that have explicitly disabled this feature are less likely to be affected.

Generated by OpenCVE AI on June 24, 2026 at 02:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson-databind to version 3.1.4 or newer.
  • If an upgrade cannot be performed immediately, configure MapperFeature.INFER_PROPERTY_MUTATORS to false to prevent the private backing field from being written during deserialization.
  • Review application code and dependencies to eliminate or refactor any @JsonProperty/@JsonIgnore setter pairs that rely on property renaming, and verify that no legacy Jackson configurations remain enabled in the environment.

Generated by OpenCVE AI on June 24, 2026 at 02:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9fxm-vc8v-hj55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
History

Wed, 24 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.
Title jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:48:52.730Z

Reserved: 2026-06-15T18:40:01.650Z

Link: CVE-2026-54516

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes