CVE Catalog

CVE-2026-54514

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile - higher than 12% of all known CVEs

Summary

Vulnerability in jackson-databind from version 2.0.0 to 2.18.8, 2.21.4, and 3.1.4 causes immediate DNS resolution for untrusted input during deserialization of InetSocketAddress. An attacker can force a DNS query to a chosen host before any application-level validation.

Risk Assessment

The organization is exposed to DNS exfiltration or internal network scanning attacks via attacker-controlled DNS queries, potentially leading to data leakage or infrastructure mapping.

Recommendation

Immediately update jackson-databind to version 2.18.8, 2.21.4, or 3.1.4, depending on the branch used, to defer DNS resolution until an explicit connection.

Original NVD description (English source)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS