CVE-2026-54514 in jackson-databind
Summary
by MITRE • 06/24/2026
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/24/2026
The vulnerability in jackson-databind represents a critical security flaw that enables remote code execution through deserialization of untrusted data containing InetSocketAddress fields. This issue affects versions from 2.0.0 through 2.18.7, 2.21.3, and 3.1.3, where the JDKFromStringDeserializer class improperly handles hostname resolution during object construction. The flaw stems from the use of new InetSocketAddress(host, port) which triggers immediate DNS resolution at deserialization time rather than deferring this operation until an explicit connection attempt occurs.
The technical implementation of this vulnerability exploits the eager DNS resolution behavior inherent in the InetSocketAddress constructor when provided with a hostname string. During deserialization, the Jackson library processes JSON input and creates InetSocketAddress objects by directly invoking the constructor with user-supplied hostnames and port numbers. This immediate DNS lookup operation provides attackers with an opportunity to influence network traffic patterns and potentially redirect queries through malicious DNS servers or cause denial of service through resource exhaustion attacks.
From a cybersecurity perspective, this vulnerability maps directly to CWE-1347 which describes "Improperly Implemented DNS Resolution" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: PowerShell" in scenarios where attackers might use DNS tunneling or command injection through network resolution manipulation. The impact extends beyond simple information disclosure to potentially enable more sophisticated attacks including service disruption, data exfiltration through DNS channels, or exploitation of other network-based vulnerabilities that depend on controlled hostname resolution.
The operational consequences of this vulnerability are severe for applications processing untrusted JSON data containing network address information. Any system using Jackson's deserialization capabilities with InetSocketAddress fields becomes vulnerable to remote attackers who can craft malicious JSON payloads that trigger DNS queries to arbitrary servers. This creates a vector for attackers to perform reconnaissance, cause denial of service through DNS server overload, or potentially redirect traffic through compromised DNS infrastructure before any application-level validation occurs.
The fix implemented in versions 2.18.8, 2.21.4, and 3.1.4 addresses the core issue by replacing InetSocketAddress(host, port) with InetSocketAddress.createUnresolved(host, port). This change defers DNS resolution to explicit connection attempts rather than performing eager resolution during deserialization. The createUnresolved method creates an InetSocketAddress instance without attempting to resolve the hostname, which means that DNS queries only occur when applications explicitly attempt to connect to the address, providing proper separation between deserialization and network operations.
Security practitioners should prioritize updating affected systems to versions containing this fix, as the vulnerability allows attackers to perform DNS-based attacks without requiring additional exploitation primitives. Organizations using Jackson-databind with untrusted input should also implement network monitoring to detect unusual DNS query patterns that might indicate exploitation attempts. The mitigation strategy aligns with defense-in-depth principles and follows industry best practices for preventing deserialization vulnerabilities by separating network operations from object construction phases, thereby reducing the attack surface available to potential adversaries.