FasterXML's Jackson-databind library sits at the center of JSON handling for a huge share of the Java ecosystem — Spring Boot services, internal RPC layers, and countless microservices all lean on it to turn wire-format JSON into Java objects. CVE-2019-12384 is one entry in a long-running family of vulnerabilities in that library's polymorphic ("default typing") deserialization feature, where an attacker who can influence the JSON payload passed to an ObjectMapper can instantiate arbitrary classes present on the application's classpath. This specific CVE identifies a previously unblocked gadget class — net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup from the Ehcache library — that Jackson-databind's SubTypeValidator failed to reject, allowing it to be used as part of an exploit chain when default typing is enabled. Left unpatched, a vulnerable service that both enables polymorphic typing and has Ehcache on its classpath can be coerced into performing unintended, attacker-influenced object instantiation and downstream JNDI-style lookups, with potential knock-on effects ranging from server-side request forgery to remote code execution depending on what else is reachable in the runtime environment.
Affected versions and components
CVE-2019-12384 affects FasterXML jackson-databind 2.x branches prior to 2.9.9.1. The root feature being abused — "default typing," enabled via ObjectMapper.enableDefaultTyping() or an equivalent @JsonTypeInfo configuration that resolves types from attacker-controlled JSON — has been the source of dozens of related CVEs since jackson-databind first introduced a blacklist-based SubTypeValidator to reject known-dangerous "gadget" classes. This particular advisory is exploitable only when three conditions hold at once:
- The application uses Jackson-databind's global default typing, or an equally permissive
@JsonTypeInfoconfiguration on a broad base type (e.g.,ObjectorSerializable). - The Ehcache library (specifically the class containing
DefaultTransactionManagerLookup) is present somewhere on the application's runtime classpath, even if the application itself never references it directly — transitive dependencies count. - An attacker can supply or influence the JSON payload that reaches the vulnerable
ObjectMapperinstance.
Because Jackson-databind is almost always pulled in transitively (by Spring, Jersey, Dropwizard, and many other frameworks), the practical footprint of "affected" software extends well beyond services that explicitly declare a jackson-databind dependency — any service bundling a vulnerable version through a framework's BOM is exposed to the same risk once the other two preconditions line up.
CVSS, EPSS, and KEV context
NVD's published CVSS v3.x base score for CVE-2019-12384 sits in the Medium range (base score 6.3), reflecting a network-exploitable, low-complexity, no-privileges-required, no-user-interaction attack vector, with the confidentiality/integrity/availability impact rated conservatively (Low/Low/None) because real-world impact depends heavily on what the specific gadget can do once instantiated — NVD scores these entries generically rather than for a worst-case chained RCE. That conservative scoring is a recurring criticism of the entire jackson-databind gadget-blacklist CVE series: the base score understates severity for applications where the gadget chain can be extended into full remote code execution, while overstating risk for the (much larger) population of applications that never enable default typing at all and are therefore not exploitable regardless of which gadget classes sit on their classpath.
CVE-2019-12384 has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no widely reported evidence of it being used in the wild as an independent, named campaign — it tends to surface in dependency and SCA scan results rather than in active-exploitation telemetry. That said, EPSS-style exploitation-probability signals for this whole class of Jackson-databind gadget CVEs should be read with caution: low observed exploitation activity for any single gadget CVE does not mean the underlying weakness (unsafe default typing) is low-risk — it means researchers and scanners, not live attackers, are the ones most actively cataloguing new gadget classes.
Timeline
- 2017 — The original default-typing gadget-chain issue (tracked separately, predating this CVE) demonstrated that Jackson-databind's polymorphic deserialization could be abused when default typing was enabled and a suitable gadget class was reachable, prompting FasterXML to introduce the blacklist-based
SubTypeValidatormechanism to block known-bad classes as they were discovered. - 2018–2019 — Security researchers and dependency scanners began systematically probing common Java libraries for classes that could serve as new gadgets, producing a steady stream of individual CVEs (each naming a different blocked class) rather than a single comprehensive fix, since the blacklist approach can only ever block classes that have already been identified.
- 2019 — CVE-2019-12384 is filed, documenting that the Ehcache class
net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookupwas missing from the blacklist maintained bySubTypeValidator. - Jackson-databind 2.9.9.1 is released by FasterXML, adding the missing Ehcache class (along with others identified around the same time) to the blocked-class list, closing this specific gadget path.
- Jackson 2.10+ — FasterXML later shipped a more durable structural fix:
PolymorphicTypeValidator(and its default implementation,BasicPolymorphicTypeValidator), which flips the model from blacklisting known-bad classes to allowlisting known-good ones — the architecturally sound answer to a problem that blacklisting alone can never fully close.
Remediation steps
- Upgrade jackson-databind to 2.9.9.1 or later (and preferably to a current 2.x or later release line) to pick up the updated blocked-class list. Check every service, including those pulling jackson-databind transitively through Spring Boot, Jersey, or other framework BOMs — pinning the framework version alone doesn't guarantee the databind version underneath is patched.
- Stop using global default typing.
ObjectMapper.enableDefaultTyping()(and its unrestricted@JsonTypeInfoequivalents) is the actual root cause enabling this entire CVE family. If your application doesn't have a hard requirement for polymorphic deserialization across arbitrary types, disable it. - Adopt allowlist-based polymorphic type validation. If polymorphic deserialization is a genuine requirement, migrate to Jackson 2.10+ and configure a
BasicPolymorphicTypeValidatorthat explicitly allowlists only the base types and subtypes your application actually needs, rather than relying on FasterXML's reactive blacklist to keep up with every gadget researchers find. - Audit the classpath for gadget-capable libraries. Even with a patched jackson-databind, unused libraries like Ehcache, Spring, or various JNDI/connection-pool libraries sitting on the classpath widen the pool of potential future gadgets. Trim dependencies you don't need.
- Run software composition analysis (SCA) across the full dependency tree, not just direct declarations, since jackson-databind and its gadget-capable neighbors are frequently transitive.
- Validate and constrain untrusted JSON input at the boundary — reject unexpected type hints and schema shapes before they reach an
ObjectMapper, as defense in depth against both known and yet-undiscovered gadget classes.
How Safeguard Helps
CVE-2019-12384 is a textbook example of why point-in-time vulnerability scanning isn't enough for Java supply chains: the same underlying weakness (unsafe default typing) has produced dozens of near-identical CVEs over several years, each one requiring teams to re-check the same configuration pattern against a growing blocklist. Safeguard's software supply chain security platform is built to close that gap continuously rather than one CVE at a time.
Safeguard generates and maintains accurate SBOMs across your build pipelines, surfacing not just direct jackson-databind declarations but every transitive path that pulls a vulnerable version in through Spring, Jersey, Dropwizard, or other frameworks — the exact blind spot that lets gadget CVEs like this one persist in production long after teams believe they've patched. Our SCA engine flags vulnerable jackson-databind versions against CVE-2019-12384 and the wider gadget-chain family, and cross-references your classpath for the co-occurring conditions that actually make it exploitable, such as the presence of Ehcache or other historically implicated gadget libraries, so security teams can prioritize the services where default typing and a dangerous gadget class actually coexist, instead of triaging every dependency hit as equally urgent.
Safeguard also tracks KEV status and exploitation signals over time, so if a previously quiet gadget CVE like this one ever sees a shift in real-world exploitation activity, your team is alerted rather than relying on a static severity label set at disclosure. And because our platform enforces policy at build time, you can gate merges or releases on jackson-databind meeting a minimum patched version, or on the outright presence of unsafe enableDefaultTyping() calls in code, catching the root-cause misconfiguration before it ships rather than chasing each new gadget CVE as it's disclosed.