Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Deserialization of Untrusted Data (Java JSON Deserialization) Jackson - Vulnerability Database

Deserialization of Untrusted Data (Java JSON Deserialization) Jackson

Description

This vulnerability occurs when a web application uses the Jackson JSON library to deserialize user-supplied data with Polymorphic Type Handling enabled. Polymorphic Type Handling allows JSON data to specify which Java class should be instantiated during deserialization, which can be exploited by attackers to instantiate dangerous classes. When processing untrusted input, this feature can lead to remote code execution through deserialization gadgets—specially crafted JSON payloads that trigger malicious code execution when deserialized. This is a well-known attack vector affecting Jackson versions prior to proper security hardening.

Remediation

Take the following steps to remediate this vulnerability:<br/><br/>1. <strong>Upgrade Jackson databind library</strong> to the latest stable version (2.10.0 or higher recommended) which includes fixes for known deserialization gadgets.<br/><br/>2. <strong>Disable default typing (Polymorphic Type Handling)</strong> unless absolutely required. Remove calls to <code>enableDefaultTyping()</code> or <code>enableDefaultTypingAsProperty()</code>:<br/><pre>// VULNERABLE CODE - Remove this ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); // DO NOT USE // SECURE CODE ObjectMapper mapper = new ObjectMapper(); // Do not enable default typing</pre><br/>3. If polymorphic deserialization is required, use <strong>PolymorphicTypeValidator</strong> (Jackson 2.10+) to whitelist allowed classes:<br/><pre>PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder() .allowIfSubType("com.yourcompany.safe.package") .build(); ObjectMapper mapper = JsonMapper.builder() .polymorphicTypeValidator(ptv) .activateDefaultTyping(ptv, DefaultTyping.NON_FINAL) .build();</pre><br/>4. <strong>Validate and sanitize all input</strong> before deserialization and implement strict input validation rules.<br/><br/>5. Apply the principle of least privilege to the application's runtime environment to limit the impact of potential exploitation.

References

CVE-2017-7525
JacksonPolymorphicDeserialization
Java Unmarshaller Security
Friday the 13th JSON Attacks
Deserialization of untrusted data

Related Vulnerabilities

SAP Hybris Deserialization RCE High
Common tags: Acumonitor Denial Of Service Insecure Deserialization Known Vulnerabilities
Deserialization of Untrusted Data (XStream) High
Common tags: Abuse Of Functionality Acumonitor Insecure Deserialization Known Vulnerabilities
Deserialization of Untrusted Data (Java JSON Deserialization) Genson High
Common tags: Abuse Of Functionality Acumonitor Denial Of Service Insecure Deserialization
Python object deserialization of user-supplied data Medium
Common tags: Abuse Of Functionality Denial Of Service Insecure Deserialization
Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070) High
Common tags: Acumonitor Denial Of Service Insecure Deserialization

Severity

High

Classification

CVE-2017-7525
CWE-502
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality
Acumonitor
Denial Of Service
Insecure Deserialization
Known Vulnerabilities