CVE-2017-17485 in jackson-databind
Summary
by MITRE
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/28/2025
The CVE-2017-17485 vulnerability represents a critical remote code execution flaw in FasterXML jackson-databind library versions up to 2.8.10 and 2.9.x through 2.9.3. This vulnerability emerged as an incomplete remediation of the previously addressed CVE-2017-7525 deserialization flaw, creating a dangerous gap in security protection. The flaw specifically affects applications that utilize the readValue method of ObjectMapper when processing untrusted JSON input, making it particularly dangerous in web applications and services that accept JSON data from external sources. The vulnerability's severity is amplified by its unauthenticated nature, meaning attackers can exploit it without requiring any credentials or access privileges.
The technical root cause of this vulnerability lies in the insufficient blacklist implementation that was supposed to prevent exploitation of the deserialization flaw. When Spring libraries are present in the classpath, the existing blacklist becomes ineffective, allowing attackers to bypass security measures and execute arbitrary code on the target system. This occurs because the Jackson library's deserialization process can instantiate objects from malicious JSON input, and the incomplete fix fails to properly restrict the classes that can be deserialized. The vulnerability specifically targets the ObjectMapper's readValue method which is commonly used to convert JSON data into Java objects, making it a prime target for exploitation in applications that process external JSON input.
The operational impact of CVE-2017-17485 is devastating for affected systems, as successful exploitation can lead to complete system compromise and unauthorized access to sensitive data. Attackers can leverage this vulnerability to execute arbitrary commands on the target system, potentially leading to data breaches, service disruption, or further lateral movement within a network. The vulnerability affects a wide range of applications that depend on Jackson for JSON processing, including web applications, APIs, and backend services. The unauthenticated nature of the exploit means that any user who can send JSON input to an affected application can potentially trigger the vulnerability, making it particularly dangerous in publicly accessible services.
Organizations should immediately upgrade their Jackson library versions to patched releases that properly address this vulnerability. The recommended mitigation involves updating to Jackson versions 2.8.11 or 2.9.4 and later, which contain comprehensive fixes for both CVE-2017-7525 and CVE-2017-17485. Additional protective measures include implementing proper input validation and sanitization, restricting the use of the readValue method with untrusted input, and configuring proper security boundaries around applications that process external JSON data. From a cybersecurity perspective, this vulnerability aligns with ATT&CK technique T1059.007 for command and script injection, and CWE-502 describes the underlying issue of deserialization of untrusted data. Organizations should also consider implementing network segmentation and monitoring for suspicious JSON processing activities to detect potential exploitation attempts.