CVE-2026-54514
Received Received - Intake
Eager DNS Resolution in Jackson Databind

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54514
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in jackson-databind's JDKFromStringDeserializer, which constructs InetSocketAddress objects by performing eager DNS resolution during JSON deserialization. Specifically, from versions 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, the deserializer uses new InetSocketAddress(host, port), causing DNS queries to be issued immediately when deserializing untrusted JSON containing InetSocketAddress fields.

This means that if an application deserializes JSON data from an untrusted source into a type containing an InetSocketAddress, an attacker can trigger DNS queries of their choosing during the deserialization process, before any application-level validation or connection logic occurs.

The vulnerability is fixed by changing the code to use InetSocketAddress.createUnresolved(host, port), which defers DNS resolution until an explicit connection attempt is made.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause your application to perform arbitrary DNS lookups during JSON deserialization. This can lead to information leakage about your internal network or environment, as DNS queries may reveal details to an attacker-controlled DNS server.

Additionally, it may be used as a vector for DNS rebinding attacks or to trigger unwanted network activity, potentially leading to denial of service or other indirect impacts.

The CVSS base score of 5.3 indicates a medium severity impact, with low complexity and no required privileges or user interaction.

Mitigation Strategies

To mitigate this vulnerability, update jackson-databind to one of the fixed versions: 2.18.8, 2.21.4, or 3.1.4.

This update changes the deserialization behavior to use InetSocketAddress.createUnresolved(host, port), which defers DNS resolution and prevents attacker-chosen DNS queries during deserialization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart