Description: An attacker crafts a malicious JSON payload that exploits jackson-databind's polymorphic deserialization, especially when default typing is enabled or misconfigured. The payload instructs Jackson to instantiate a vulnerable Java class present in the application's classpath. Upon deserialization, this class executes arbitrary code, granting the attacker control over the server. This often involves using known "gadget chains" of vulnerable classes.
- Impact: Critical. Full compromise of the server, including data breach, data manipulation, service disruption, and further propagation of attacks within the network.
- Affected Component:
ObjectMapper,Polymorphic Deserialization,Default Typingfeature. - Risk Severity: Critical
- Mitigation Strategies:
- Disable default typing (
ObjectMapper.disableDefaultTyping()). - If default typing is necessary, use
NON_FINALorOBJECT_AND_NON_CONCRETEwith a strict whitelist of allowed base classes. - Implement explicit whitelisting of allowed classes for polymorphic deserialization using annotations like
@JsonTypeInfoand@JsonSubTypes. - Regularly update
jackson-databindto the latest version. - Implement input validation and sanitization of JSON payloads.
- Apply the principle of least privilege to application execution.
- Disable default typing (
Description: An attacker sends extremely large JSON payloads to the application. When jackson-databind attempts to parse and deserialize these payloads, it consumes excessive server resources (CPU, memory, network bandwidth), leading to application slowdown or complete unavailability for legitimate users.
- Impact: High. Application becomes unavailable or severely degraded, impacting business operations and user experience.
- Affected Component:
JsonParser,ObjectMapper,Deserializationprocess. - Risk Severity: High
- Mitigation Strategies:
- Implement limits on the maximum size of incoming JSON payloads at the application or infrastructure level (e.g., web server, API gateway).
- Configure Jackson's parser to limit resource consumption (e.g., maximum string length, maximum number of tokens).
- Implement resource monitoring and throttling to detect and mitigate DoS attempts.
- Consider using Jackson's streaming API for parsing very large JSON documents to reduce memory footprint.
Description: An attacker crafts JSON payloads with excessively deep nesting levels of objects or arrays. Parsing these deeply nested structures can lead to stack overflow errors or excessive processing time in jackson-databind, causing a DoS.
- Impact: High. Application becomes unavailable or severely degraded, impacting business operations and user experience.
- Affected Component:
JsonParser,ObjectMapper,Deserializationprocess, Stack memory. - Risk Severity: High
- Mitigation Strategies:
- Configure Jackson's parser to limit the maximum nesting depth of JSON structures using
JsonFactoryBuilder.maxDepth(). - Implement input validation to reject JSON payloads with excessive nesting depth.
- Implement resource monitoring and throttling.
- Configure Jackson's parser to limit the maximum nesting depth of JSON structures using
Description: An attacker sends JSON payloads that represent recursive or cyclic object graphs. If jackson-databind is not configured to handle these structures properly, it can lead to infinite loops or excessive resource consumption during deserialization, resulting in a DoS.
- Impact: High. Application becomes unavailable or severely degraded, impacting business operations and user experience.
- Affected Component:
ObjectMapper,Deserializationprocess, Object graph handling. - Risk Severity: High
- Mitigation Strategies:
- Configure Jackson's
ObjectMapperto detect and handle cyclic references using features like@JsonIdentityInfoor by configuringDeserializationFeature.FAIL_ON_SELF_REFERENCESorDeserializationFeature.FAIL_ON_UNRESOLVED_OBJECT_IDS. - Implement input validation to detect and reject potentially cyclic JSON structures.
- Implement resource monitoring and throttling.
- Configure Jackson's