GHSA-5jmj-h7xm-6q6v

In BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again.

Impact

An application that both enables case-insensitive matching and relies on per-property @JsonIgnoreProperties to keep a field unwritable can have that field set from untrusted JSON (mass-assignment-style write).

Affected / Patched

Fixed in 2.18.9, 2.21.5 and 3.1.4.

Severity / CWE

Maintainer: minor. Reporter: Moderate. CWE-915.

Upstream fix

FasterXML/jackson-databind#5962 (PR #5964, 0e1b0b2), milestone 3.1.4. Released 2026-06-04.

Credits

Omkhar Arasaratnam (@omkhar) - finder.

Database specific

{
    "github_reviewed_at": "2026-06-23T21:23:58Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-915"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

Maven

com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5jmj-h7xm-6q6v/GHSA-5jmj-h7xm-6q6v.json"

tools.jackson.core:jackson-databind

Package

Name: tools.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/tools.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.4

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5jmj-h7xm-6q6v/GHSA-5jmj-h7xm-6q6v.json"

com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.18.9

Affected versions

2.*

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.8.1

2.8.9

2.8.10

2.8.11

2.8.11.1

2.8.11.2

2.8.11.3

2.8.11.4

2.8.11.5

2.8.11.6

2.9.0

2.9.0.pr1

2.9.0.pr2

2.9.0.pr3

2.9.0.pr4

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.9.1

2.9.9.2

2.9.9.3

2.9.10

2.9.10.1

2.9.10.2

2.9.10.3

2.9.10.4

2.9.10.5

2.9.10.6

2.9.10.7

2.9.10.8

2.10.0

2.10.0.pr1

2.10.0.pr2

2.10.0.pr3

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.5.1

2.11.0.rc1

2.11.0

2.11.1

2.11.2

2.11.3

2.11.4

2.12.0-rc1

2.12.0-rc2

2.12.0

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.12.6.1

2.12.7

2.12.7.1

2.12.7.2

2.13.0-rc1

2.13.0-rc2

2.13.0

2.13.1

2.13.2

2.13.2.1

2.13.2.2

2.13.3

2.13.4

2.13.4.1

2.13.4.2

2.13.5

2.14.0-rc1

2.14.0-rc2

2.14.0-rc3

2.14.0

2.14.1

2.14.2

2.14.3

2.15.0-rc1

2.15.0-rc2

2.15.0-rc3

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

2.16.0-rc1

2.16.0

2.16.1

2.16.2

2.17.0-rc1

2.17.0

2.17.1

2.17.2

2.17.3

2.18.0-rc1

2.18.0

2.18.1

2.18.2

2.18.3

2.18.4

2.18.5

2.18.6

2.18.7

2.18.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5jmj-h7xm-6q6v/GHSA-5jmj-h7xm-6q6v.json"

com.fasterxml.jackson.core:jackson-databind

Package

Name: com.fasterxml.jackson.core:jackson-databind; View open source insights on deps.dev
Purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.19.0

Fixed

2.21.5

Affected versions

2.*

2.19.0

2.19.1

2.19.2

2.19.3

2.19.4

2.20.0-rc1

2.20.0

2.20.1

2.20.2

2.21.0

2.21.1

2.21.2

2.21.3

2.21.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5jmj-h7xm-6q6v/GHSA-5jmj-h7xm-6q6v.json"