CVE-2026-54516
ADVISORY - githubSummary
Summary
POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter.
Impact
POJOs combining a renamed getter with an ignored setter (a read-only-over-the-wire pattern) have that field silently set from attacker input (property tampering / mass assignment). Not a general gadget; no RCE.
Affected / Patched (verified via git tag --contains)
- 2.21 line:
>= 2.21.0, < 2.21.4-> fixed in 2.21.4 (backportc3d56dd, #5968) - 3.x line:
>= 3.0.0, < 3.1.4-> fixed in 3.1.4 (#5967,e88cb17)
Severity / CWE
Maintainer: minor. Reporter: HIGH. CWE-915.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
Common Weakness Enumeration (CWE)
Improperly Controlled Modification of Dynamically-Determined Object Attributes
GitHub
3.9
CVSS SCORE
5.3mediumDebian
-
CVSS SCORE
N/AlowUbuntu
-
CVSS SCORE
N/AmediumChainguard
CGA-xx82-ppw2-x9rh
-
minimos
MINI-3g6x-2mr2-67jx
-
minimos
MINI-4pf3-7hj3-m4h2
-
minimos
MINI-4x8v-8qr3-w846
-
minimos
MINI-55w2-m5q9-vgfv
-
minimos
MINI-99w2-w55j-2cgq
-
minimos
MINI-gw92-v3x2-jmmf
-
minimos
MINI-h7cg-77fr-x789
-
minimos
MINI-h9gv-hf6m-34qw
-
minimos
MINI-jj2x-xf23-vg9f
-
minimos
MINI-m99x-8g46-fw77
-
minimos
MINI-mmx9-vf4p-r6hh
-
minimos
MINI-r63m-pm7p-645g
-
minimos
MINI-rhwq-4mv9-j7h3
-
minimos
MINI-rjx7-vm6j-qw5f
-
minimos
MINI-wj72-857r-fwq6
-
minimos
MINI-xr4m-cqmc-v6c9
-