A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Affected Packages

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 0 (fixed in 2.6.7.1)

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.7.0 (fixed in 2.7.9.1)

Maven com.fasterxml.jackson.core:jackson-databind

Affected versions: 2.8.0 (fixed in 2.8.9)

Related CVEs

CVE-2017-7525

Key Information

GHSA ID

GHSA-qxxx-2pp7-5hmx

Published

October 16, 2018 5:21 PM

Last Modified

March 1, 2024 9:41 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

com.fasterxml.jackson.core:jackson-databind

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 14, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.