Listen to this Post
The `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` method in Jackson-databind allows any array type based solely on clazz.isArray(), without validating the array’s component (element) type against the configured allowlist. A `PolymorphicTypeValidator` (PTV) built with `allowIfSubTypeIsArray()` plus an explicit concrete-type allowlist therefore still permits `EvilType[]` even though `EvilType` is not allowlisted.
When Jackson deserializes the elements of such an array and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, effectively bypassing the allowlist. This re-opens the gadget-instantiation risk that PTV is designed to prevent.
The vulnerability affects applications using `BasicPolymorphicTypeValidator` with `allowIfSubTypeIsArray()` as a safeguard, as they get no protection for concrete array component types. An attacker controlling JSON can instantiate non-allowlisted types via an array wrapper.
The issue was introduced in version 2.10.0 when `PolymorphicTypeValidator` was added. The fix was released on 2026-06-04 in versions 2.18.8, 2.21.4, and 3.1.4. The upstream fix is tracked in FasterXML/jackson-databind5981 with PR 5983 (24529da) and backport PR 5984 (01d1692). The vulnerability is classified as CWE-184 (Incomplete List of Disallowed Inputs) and related to CWE-502.
DailyCVE Form
Platform: FasterXML Jackson-databind
Version: 2.10.0 – 2.18.7, 2.19.0 – 2.21.3, 3.0.0 – 3.1.3
Vulnerability: Array subtype allowlist bypass
Severity: High
Date: 2026-06-23
Prediction: 2026-06-04 (already patched)
What Undercode Say
Analytics:
The vulnerability stems from a logic flaw in allowIfSubTypeIsArray(), which blindly trusts any array type without inspecting its component type. This bypasses the intended allowlist semantics and allows deserialization of malicious gadget classes.
Bash Commands / Code:
Check if your version is affected mvn dependency:tree | grep jackson-databind For Gradle gradle dependencies | grep jackson-databind Verify fixed version git tag --contains 24529da PR 5983 git tag --contains 01d1692 2.18 backport
Affected versions (via `git tag –contains`):
- 2.10.0 – 2.18.7 → fixed in 2.18.8
- 2.19.0 – 2.21.3 → fixed in 2.21.4
- 3.0.0 – 3.1.3 → fixed in 3.1.4
Exploit
An attacker can craft JSON that includes an array of a non-allowlisted type, e.g.:
["com.evil.Gadget", "com.evil.Gadget"]
When the PTV is configured with `allowIfSubTypeIsArray()` and an explicit allowlist (e.g., only `SafeType` is allowed), the PTV sees `Gadget[]` and allows it because `clazz.isArray()` returns true. During deserialization, Jackson instantiates each element as `Gadget` without re-checking the PTV, leading to arbitrary class instantiation.
Protection
- Upgrade to jackson-databind 2.18.8, 2.21.4, or 3.1.4 (or later)
- Avoid using `allowIfSubTypeIsArray()` if you rely on per-type allowlisting
- Use `allowIfSubType()` with explicit class checks instead of array-wide allowance
- If upgrade is not possible, consider implementing a custom `PolymorphicTypeValidator` that validates component types of arrays
Impact
- Confidentiality: An attacker may instantiate arbitrary classes, potentially leading to remote code execution or information disclosure via known deserialization gadgets.
- Integrity: Malicious objects can be injected into the application context, corrupting application state.
- Availability: Deserialization of malicious gadgets may cause resource exhaustion, crashes, or denial of service.
- Attack Vector: Remote, unauthenticated (if the application deserializes user-supplied JSON with polymorphic typing enabled).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
