VDB
KO
MEDIUM 5.3

GHSA-hgj6-7826-r7m5

jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

Details

## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAddress` field issues an attacker-chosen DNS query during `readValue`, before any application-level validation or connect logic. The fix uses `InetSocketAddress.createUnresolved(host, port)`, deferring DNS to an explicit connect.

## Impact An attacker controlling JSON deserialized into an `InetSocketAddress`-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.

## Affected / Patched (verified via `git tag --contains` on `1f5a103`) - 2.18 line: `>= 2.18.0, < 2.18.8` -> fixed in **2.18.8** - 2.19-2.21 line: `>= 2.19.0, < 2.21.4` -> fixed in **2.21.4** - 3.x line: `>= 3.0.0, < 3.1.4` -> fixed in **3.1.4**

## Severity / CWE Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).

## Upstream fix FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.

## Credits Omkhar Arasaratnam (@omkhar) - finder.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / com.fasterxml.jackson.core:jackson-databind
Introduced in: 2.0.0 Fixed in: 2.18.8
Fix # pom.xml: bump <version>2.18.8</version> for com.fasterxml.jackson.core:jackson-databind
Maven / com.fasterxml.jackson.core:jackson-databind
Introduced in: 2.19.0 Fixed in: 2.21.4
Fix # pom.xml: bump <version>2.21.4</version> for com.fasterxml.jackson.core:jackson-databind
Maven / com.fasterxml.jackson.core:jackson-databind
Introduced in: 3.0.0 Fixed in: 3.1.4
Fix # pom.xml: bump <version>3.1.4</version> for com.fasterxml.jackson.core:jackson-databind
Maven / tools.jackson.core:jackson-databind
Introduced in: 2.19.0 Fixed in: 2.21.4
Fix # pom.xml: bump <version>2.21.4</version> for tools.jackson.core:jackson-databind
Maven / tools.jackson.core:jackson-databind
Introduced in: 3.0.0 Fixed in: 3.1.4
Fix # pom.xml: bump <version>3.1.4</version> for tools.jackson.core:jackson-databind

References