Summary
JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.
Impact
An attacker controlling JSON deserialized into an InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.
Affected / Patched (verified via git tag --contains on 1f5a103)
- 2.18 line:
>= 2.18.0, < 2.18.8 -> fixed in 2.18.8
- 2.19-2.21 line:
>= 2.19.0, < 2.21.4 -> fixed in 2.21.4
- 3.x line:
>= 3.0.0, < 3.1.4 -> fixed in 3.1.4
Severity / CWE
Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).
Upstream fix
FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
References
Summary
JDKFromStringDeserializerconstructedInetSocketAddresswithnew InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing anInetSocketAddressfield issues an attacker-chosen DNS query duringreadValue, before any application-level validation or connect logic. The fix usesInetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.Impact
An attacker controlling JSON deserialized into an
InetSocketAddress-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding.Affected / Patched (verified via
git tag --containson1f5a103)>= 2.18.0, < 2.18.8-> fixed in 2.18.8>= 2.19.0, < 2.21.4-> fixed in 2.21.4>= 3.0.0, < 3.1.4-> fixed in 3.1.4Severity / CWE
Maintainer: minor. Reporter: LOW. CWE-918 (SSRF).
Upstream fix
FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
References