All Jackson Databind CVEs — Complete Vulnerability History
Jackson Databind is the most widely-used Java JSON library. It has a long CVE history — primarily deserialization gadget chains that allowed RCE. The team resolved the fundamental issue by disabling default typing in 2.10.0.
Java/Maven
Millions weekly downloads
4 CVEs total
1 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-14379 | 2019 | CRITICAL | RCE via deserialization gadget chain | Fixed 2.9.9.3 |
| CVE-2020-25649 | 2020 | HIGH | XXE in XML processing via JAXB binding | Fixed 2.12.0 |
| CVE-2022-42003 | 2022 | HIGH | DoS via deeply nested JSON deserialization | Fixed 2.14.0 |
| CVE-2022-42004 | 2022 | HIGH | DoS via large array deserialization | Fixed 2.14.0 |
Current safe version: 2.17.1
# Before
"jackson.version>2.13.4# After"jackson.version>2.17.1Then run:
mvn dependency:resolvePaste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Jackson still have deserialization RCE issues?Jackson 2.10+ disabled polymorphic deserialization (the root cause of the RCE gadget chains) by default. If you're on 2.10+, you're not affected by the historical RCE CVEs unless you explicitly enable default typing.Should I replace Jackson with a different JSON library?Jackson remains well-maintained and the deserialization RCE class of CVEs is resolved in modern versions. The DoS CVEs (2022) are fixed in 2.14.0. Switching JSON libraries is a significant migration — stay on Jackson with current versions.What is a deserialization gadget chain?A gadget chain is a series of Java class instantiations and method calls that, when triggered via deserialization, execute arbitrary code. The attacker crafts a JSON payload that, when deserialized, triggers the chain.Related