JsonPulsarHeaderMapper Package Trust Bypass in Spring for Apache Pulsar

Executive Summary

CVE-2026-41732 is a vulnerability in Spring for Apache Pulsar where the JsonPulsarHeaderMapper matches type headers against trusted packages using a prefix check. This means that if a package is trusted, all its subpackages are implicitly trusted as well.

Additionally, if the trusted-packages configuration is left empty, it defaults to trusting all packages instead of applying a safe default allow-list. This broad trust combined with Jackson's default bean deserialization allows a malicious producer to craft header values that can deserialize arbitrary JDK classes, potentially causing harmful side effects such as allocating file descriptors or spawning thread pools.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to exploit the deserialization process to execute arbitrary code or cause resource exhaustion on the affected system.

• Execution of arbitrary JDK classes with side effects.
• Potential allocation of file descriptors.
• Spawning of thread pools or other resource-intensive operations.

Such impacts can lead to denial of service, system instability, or unauthorized actions on the system running Spring for Apache Pulsar.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Spring for Apache Pulsar to the fixed versions.

• Upgrade to version 2.0.6 (OSS) or 2.0.5.1 (Commercial) for the 2.0.x series.
• Upgrade to version 1.2.18 (OSS) or 1.2.17.1 (Commercial) for the 1.2.x series.
• Upgrade to version 1.1.18 (Commercial) for the 1.1.x series.

No further mitigation is required after upgrading.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in JsonPulsarHeaderMapper allows malicious producers to craft header values that can deserialize arbitrary JDK classes, potentially leading to unauthorized code execution or resource allocation. This security flaw could result in unauthorized access or manipulation of data, which may impact compliance with data protection standards such as GDPR or HIPAA that require strict controls over data integrity and confidentiality.

Because the vulnerability enables potentially harmful deserialization attacks, organizations using affected versions of Spring for Apache Pulsar might face increased risk of data breaches or system compromise, which are critical concerns under regulations like GDPR and HIPAA.

Upgrading to the fixed versions is recommended to mitigate these risks and maintain compliance with such standards.

Useful 0 Not Useful 0

Detection Guidance

There are no specific detection commands or network/system scanning methods provided for this vulnerability in the available resources.

Detection primarily involves identifying if your environment is running affected versions of Spring for Apache Pulsar: versions 2.0.0 through 2.0.5, 1.2.0 through 1.2.17, or 1.1.0 through 1.1.17.

To detect the vulnerability, you should check the version of Spring for Apache Pulsar deployed in your system.

• For example, use commands to check the version of the Spring for Apache Pulsar library in your application dependencies or runtime environment.
• If you have access to the application environment, commands like `mvn dependency:list | grep spring-for-apache-pulsar` (for Maven projects) or `gradle dependencies | grep spring-for-apache-pulsar` (for Gradle projects) can help identify the version.
• Alternatively, inspecting the application logs or startup messages might reveal the version of Spring for Apache Pulsar in use.

No network-level detection commands or signatures are provided because the vulnerability is related to deserialization logic within the application.

Useful 0 Not Useful 0