Safeguard
Tag

jackson-databind

Safeguard articles tagged "jackson-databind" — guides, analysis, and best practices for software supply chain and application security.

11 articles

Application Security

Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization

One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.

Jul 16, 20265 min read
Security Guides

Jackson-databind Security Guide (2026)

Jackson-databind is the default JSON engine for the Java ecosystem — and the source of one of the longest deserialization CVE sagas in open source. Here is how to run it safely.

Jul 4, 20266 min read
Vulnerability Analysis

Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained

CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.

Jul 3, 20265 min read
Vulnerability Analysis

Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)

A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.

Dec 25, 20257 min read
Vulnerability Analysis

Jackson-databind gadget chain RCE (CVE-2019-12384)

CVE-2019-12384 lets attacker-controlled JSON trigger a jackson-databind gadget chain via Logback, turning polymorphic deserialization into remote code execution.

Dec 25, 20258 min read
Vulnerability Analysis

Jackson-databind RCE via JDOM gadget (CVE-2020-36189)

CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.

Dec 25, 20257 min read
Vulnerability Analysis

CVE-2019-12384: Polymorphic deserialization gadget in Jac...

CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-12814: Jackson-databind polymorphic type gadget ...

A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-14379: Jackson-databind deserialization via jdk....

CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2019-14540: Jackson-databind blacklist bypass via c3p...

CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2019-16335: Jackson-databind gadget via jackson-dataf...

CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.

Sep 29, 20257 min read
jackson-databind — Safeguard Blog