CVE-2020-10673 in jackson-databind
Summary
by MITRE
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability identified as CVE-2020-10673 affects the FasterXML jackson-databind library version 2.x prior to 2.9.10.4, representing a critical security flaw that exploits the interaction between serialization gadgets and type handling mechanisms. This vulnerability specifically targets the com.caucho.config.types.ResourceRef class within the caucho-quercus framework, creating a dangerous pathway for remote code execution when maliciously crafted serialized data is processed by applications using the affected library. The issue stems from insufficient validation of type information during deserialization processes, allowing attackers to manipulate object creation through carefully constructed payload data that leverages existing serialization gadgets.
The technical flaw manifests when jackson-databind processes serialized objects that contain type information pointing to the ResourceRef class, which is typically used for resource management in Java applications. During deserialization, the library fails to properly validate or sanitize the type information, enabling an attacker to inject malicious code that gets executed when the object is reconstructed. This vulnerability falls under the category of deserialization attacks where the attacker can leverage existing gadgets within the classpath to achieve arbitrary code execution. The flaw is particularly dangerous because it can be triggered through normal deserialization operations, making it difficult to detect and prevent through traditional security measures.
The operational impact of CVE-2020-10673 is severe, as it allows remote attackers to execute arbitrary code on affected systems with the privileges of the application running the jackson-databind library. This can lead to complete system compromise, data theft, or further lateral movement within network environments. The vulnerability affects a wide range of applications that utilize the jackson-databind library for JSON processing, including web applications, microservices, and enterprise systems that handle user-provided JSON data. Organizations using affected versions of the library are at significant risk, as the attack can be executed without requiring authentication or special privileges beyond the ability to send serialized data to the vulnerable application. The vulnerability has been classified under CWE-502 as "Deserialization of Untrusted Data," which is a well-known weakness in software security that frequently leads to remote code execution.
Mitigation strategies for this vulnerability primarily involve upgrading to jackson-databind version 2.9.10.4 or later, which includes patches that properly validate type information during deserialization operations. Security teams should also implement additional safeguards such as disabling the use of the ResourceRef class in their applications, employing custom deserialization guards, and restricting deserialization of untrusted data through configuration settings. Organizations should conduct thorough vulnerability assessments to identify all systems using affected versions of the library and prioritize remediation efforts based on risk exposure. The ATT&CK framework categorizes this vulnerability under T1059.007 "Command and Scripting Interpreter: Python" and T1203 "Exploitation for Client Execution" due to the potential for remote code execution through serialized object manipulation. Additionally, implementing proper input validation, network segmentation, and monitoring for suspicious deserialization activities can help detect and prevent exploitation attempts.