CVE-2020-10672 in jackson-databind
Summary
by MITRE
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability CVE-2020-10672 represents a critical security flaw in the FasterXML jackson-databind library affecting versions prior to 2.9.10.4. This issue specifically targets the interaction between serialization gadgets and typing mechanisms within the library, creating a pathway for remote code execution attacks. The vulnerability manifests through the org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory component, which serves as an entry point for malicious payload delivery. The flaw exploits the library's deserialization process by leveraging type information that is improperly handled during object reconstruction, allowing attackers to inject malicious code that executes in the context of the application performing deserialization.
The technical root cause of this vulnerability lies in the improper handling of type information during the deserialization process within jackson-databind. When the library processes serialized data containing type hints, it fails to properly validate or sanitize these type references, particularly in conjunction with specific serialization gadgets. The XaPooledConnectionFactory component acts as a trigger mechanism that, when deserialized, can activate a chain of method calls leading to arbitrary code execution. This behavior aligns with CWE-502, which describes "Deserialization of Untrusted Data" as a common vulnerability pattern where applications deserialize data without proper validation, allowing attackers to manipulate the deserialization process.
The operational impact of CVE-2020-10672 extends beyond simple remote code execution, as it can enable attackers to gain complete control over affected systems. The vulnerability affects applications that use jackson-databind for processing user-supplied data, particularly those handling JSON serialization and deserialization operations. Systems utilizing the affected library components are at risk of unauthorized access, data theft, service disruption, and potential lateral movement within network environments. The attack vector typically involves sending maliciously crafted JSON payloads to applications that deserialize user input, with the payload containing type information that triggers the vulnerable code path. This vulnerability demonstrates the broader implications of insecure deserialization patterns as outlined in the ATT&CK framework under the technique T1203, which covers "Exploitation for Client Execution" through deserialization attacks.
Organizations can mitigate this vulnerability by upgrading to jackson-databind version 2.9.10.4 or later, which includes fixes for the type handling issues in serialization gadgets. Additional mitigation strategies include implementing proper input validation and sanitization, disabling unnecessary deserialization features, and employing application firewalls or web application firewalls to filter malicious payloads. Security teams should also conduct comprehensive vulnerability assessments to identify all applications using affected library versions and implement runtime protection mechanisms to detect and prevent exploitation attempts. The fix addresses the core issue by strengthening type validation during deserialization processes and ensuring that type information from untrusted sources is properly sanitized before being processed by the library.