jackson-databind
Safeguard articles tagged "jackson-databind" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Jackson ObjectMapper and the gadget-chain trap: safe polymorphic deserialization
One FasterXML fix in 2017 spawned nearly 30 follow-up CVEs. Here's how Jackson's polymorphic typing enables RCE, and how to configure ObjectMapper safely.
Jackson-databind Security Guide (2026)
Jackson-databind is the default JSON engine for the Java ecosystem — and the source of one of the longest deserialization CVE sagas in open source. Here is how to run it safely.
Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained
CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.
Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)
A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.
Jackson-databind gadget chain RCE (CVE-2019-12384)
CVE-2019-12384 lets attacker-controlled JSON trigger a jackson-databind gadget chain via Logback, turning polymorphic deserialization into remote code execution.
Jackson-databind RCE via JDOM gadget (CVE-2020-36189)
CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.
CVE-2019-12384: Polymorphic deserialization gadget in Jac...
CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.
CVE-2019-12814: Jackson-databind polymorphic type gadget ...
A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.
CVE-2019-14379: Jackson-databind deserialization via jdk....
CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.
CVE-2019-14540: Jackson-databind blacklist bypass via c3p...
CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.
CVE-2019-16335: Jackson-databind gadget via jackson-dataf...
CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.