FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

Affected Packages

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.7.0 (fixed in 2.9.10.4)

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.0.0 (fixed in 2.6.7.4)

Related CVEs

CVE-2020-10673

Key Information

GHSA ID

GHSA-fqwf-pjwf-7vqv

Published

May 15, 2020 6:59 PM

Last Modified

July 3, 2024 9:10 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.fasterxml.jackson.core:jackson-databind

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.