CVE-2026-54514
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
Vulnerability in jackson-databind from version 2.0.0 to 2.18.8, 2.21.4, and 3.1.4 causes immediate DNS resolution for untrusted input during deserialization of InetSocketAddress. An attacker can force a DNS query to a chosen host before any application-level validation.
Risk Assessment
The organization is exposed to DNS exfiltration or internal network scanning attacks via attacker-controlled DNS queries, potentially leading to data leakage or infrastructure mapping.
Recommendation
Immediately update jackson-databind to version 2.18.8, 2.21.4, or 3.1.4, depending on the branch used, to defer DNS resolution until an explicit connection.
Original NVD description (English source)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

