Sign In

CVE-2026-54514

ADVISORY - github

Summary

Summary

JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.

Impact

An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.

Affected / Patched (verified via git tag --contains on 1f5a103)

  • 2.18 line: >= 2.18.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

Severity / CWE

Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).

Upstream fix

FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-918

Server-Side Request Forgery (SSRF)

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-hgj6-7826-r7m5
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-918

CVSS SCORE

5.3medium