CVE-2019-12814 in Retail Customer Management
Summary
by MITRE
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability CVE-2019-12814 represents a critical polymorphic typing flaw in the FasterXML jackson-databind library that affects versions 2.x through 2.9.9. This issue arises from the dangerous combination of default typing functionality and the presence of JDOM libraries in the application classpath, creating a severe remote code execution and information disclosure risk. The vulnerability specifically targets applications that have enabled default typing for JSON endpoints exposed to external clients, making it particularly dangerous in web applications and API services.
The technical flaw stems from how jackson-databind handles polymorphic typing when default typing is enabled. When an application processes JSON data with default typing activated, the library attempts to deserialize objects based on type information embedded within the JSON payload. The vulnerability becomes exploitable when JDOM 1.x or 2.x libraries are present in the classpath because these libraries contain classes that can be leveraged for malicious type resolution. Attackers can craft specially formatted JSON payloads that exploit the type resolution mechanism to trigger arbitrary file reads on the server. This occurs because the deserialization process can be manipulated to load and execute JDOM classes that have methods capable of reading local files through their internal implementations.
The operational impact of this vulnerability is severe and multifaceted, affecting organizations across various industries that rely on jackson-databind for JSON processing. An attacker with access to an externally exposed JSON endpoint can potentially read sensitive files from the server filesystem, including configuration files, database credentials, application logs, and other confidential data. The vulnerability essentially allows for arbitrary file reading, which can lead to complete system compromise if sensitive configuration files or credentials are accessible. This issue is particularly concerning because it can be exploited without authentication, making it a high-severity threat that can be leveraged for reconnaissance, data exfiltration, and further attack escalation. The vulnerability maps to CWE-502 in the Common Weakness Enumeration catalog, specifically addressing "Deserialization of Untrusted Data" and "Improper Restriction of XML External Entity Reference" as contributing factors.
The attack vector requires that applications have default typing enabled for JSON endpoints and that JDOM libraries are present in the classpath, creating a specific exploitation scenario. Organizations should immediately address this vulnerability by upgrading to jackson-databind version 2.9.10 or later, where the issue has been patched. Additionally, security practitioners should implement proper input validation and sanitization measures, disable default typing when not required, and carefully review application classpaths to remove unnecessary libraries. The mitigation strategy should also include monitoring for suspicious JSON payload patterns and implementing network-level protections such as firewalls and intrusion detection systems. This vulnerability aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python" and T1074.001 for "Data Staged: Local Data Staging" in its exploitation methodology, as attackers can use the file reading capability to gather system information and prepare for further attacks. Organizations should also consider implementing automated vulnerability scanning and regular security assessments to identify similar issues in their application dependencies.