Skip to content

Commit 5251b24

Browse files
UID2-7364: Clarify .trivyignore rationale for CVE-2026-54512/54513
The CVEs require polymorphic typing to be explicitly enabled — uid2-shared uses only standard ObjectMapper with no polymorphic deserialization config, so these are not exploitable regardless of the upstream fix status. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 24ea30d commit 5251b24

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

.trivyignore

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,9 @@
66
# See: UID2-6670
77
GHSA-72hv-8253-57qq exp:2026-09-01
88

9-
# jackson-databind data-binding vulnerability - no upstream fix released yet (fix targets: 2.18.8, 2.21.4, 3.1.4)
9+
# jackson-databind polymorphic deserialization bypass - not exploitable, uid2-shared does not enable polymorphic
10+
# typing (no @JsonTypeInfo, enableDefaultTyping, or PolymorphicTypeValidator usage). No upstream fix released yet
11+
# (fix targets: 2.18.8, 2.21.4, 3.1.4; latest available: 2.18.4).
1012
# See: UID2-7364
1113
CVE-2026-54512 exp:2026-07-25
1214
CVE-2026-54513 exp:2026-07-25

0 commit comments

Comments
 (0)