GHSA-hgj6-7826-r7m5

Suggest an improvement
Source
https://github.com/advisories/GHSA-hgj6-7826-r7m5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hgj6-7826-r7m5/GHSA-hgj6-7826-r7m5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hgj6-7826-r7m5
Aliases
  • CVE-2026-54514
Downstream
Related
Published
2026-06-23T21:22:54Z
Modified
2026-06-25T00:29:24.783131313Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
Details

Summary

JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.

Impact

An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.

Affected / Patched (verified via git tag --contains on 1f5a103)

  • 2.18 line: >= 2.18.0, < 2.18.8 -> fixed in 2.18.8
  • 2.19-2.21 line: >= 2.19.0, < 2.21.4 -> fixed in 2.21.4
  • 3.x line: >= 3.0.0, < 3.1.4 -> fixed in 3.1.4

Severity / CWE

Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).

Upstream fix

FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Database specific 
{
    "github_reviewed_at": "2026-06-23T21:22:54Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

Maven
com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.18.8

Affected versions

2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0-rc1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0-rc1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0-rc1
2.4.0-rc2
2.4.0-rc3
2.4.0
2.4.1
2.4.1.1
2.4.1.2
2.4.1.3
2.4.2
2.4.3
2.4.4
2.4.5
2.4.5.1
2.4.6
2.4.6.1
2.5.0-rc1
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0-rc1
2.6.0-rc2
2.6.0-rc3
2.6.0-rc4
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.7.1
2.6.7.2
2.6.7.3
2.6.7.4
2.6.7.5
2.7.0-rc1
2.7.0-rc2
2.7.0-rc3
2.7.0
2.7.1
2.7.1-1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.9.1
2.7.9.2
2.7.9.3
2.7.9.4
2.7.9.5
2.7.9.6
2.7.9.7
2.8.0.rc1
2.8.0.rc2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.8.1
2.8.9
2.8.10
2.8.11
2.8.11.1
2.8.11.2
2.8.11.3
2.8.11.4
2.8.11.5
2.8.11.6
2.9.0
2.9.0.pr1
2.9.0.pr2
2.9.0.pr3
2.9.0.pr4
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.9.1
2.9.9.2
2.9.9.3
2.9.10
2.9.10.1
2.9.10.2
2.9.10.3
2.9.10.4
2.9.10.5
2.9.10.6
2.9.10.7
2.9.10.8
2.10.0
2.10.0.pr1
2.10.0.pr2
2.10.0.pr3
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.5.1
2.11.0.rc1
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0-rc1
2.12.0-rc2
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.12.6.1
2.12.7
2.12.7.1
2.12.7.2
2.13.0-rc1
2.13.0-rc2
2.13.0
2.13.1
2.13.2
2.13.2.1
2.13.2.2
2.13.3
2.13.4
2.13.4.1
2.13.4.2
2.13.5
2.14.0-rc1
2.14.0-rc2
2.14.0-rc3
2.14.0
2.14.1
2.14.2
2.14.3
2.15.0-rc1
2.15.0-rc2
2.15.0-rc3
2.15.0
2.15.1
2.15.2
2.15.3
2.15.4
2.16.0-rc1
2.16.0
2.16.1
2.16.2
2.17.0-rc1
2.17.0
2.17.1
2.17.2
2.17.3
2.18.0-rc1
2.18.0
2.18.1
2.18.2
2.18.3
2.18.4
2.18.5
2.18.6
2.18.7

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hgj6-7826-r7m5/GHSA-hgj6-7826-r7m5.json"
com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.19.0
Fixed
2.21.4

Affected versions

2.*
2.19.0
2.19.1
2.19.2
2.19.3
2.19.4
2.20.0-rc1
2.20.0
2.20.1
2.20.2
2.21.0
2.21.1
2.21.2
2.21.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hgj6-7826-r7m5/GHSA-hgj6-7826-r7m5.json"
com.fasterxml.jackson.core:jackson-databind

Package

Name
com.fasterxml.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hgj6-7826-r7m5/GHSA-hgj6-7826-r7m5.json"
tools.jackson.core:jackson-databind

Package

Name
tools.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/tools.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.19.0
Fixed
2.21.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hgj6-7826-r7m5/GHSA-hgj6-7826-r7m5.json"
tools.jackson.core:jackson-databind

Package

Name
tools.jackson.core:jackson-databind
View open source insights on deps.dev
Purl
pkg:maven/tools.jackson.core/jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.1.4

Affected versions

3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0-rc1
3.1.0
3.1.1
3.1.2
3.1.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hgj6-7826-r7m5/GHSA-hgj6-7826-r7m5.json"