Listen to this Post
This vulnerability resides in the `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` method of the Jackson-databind library. When deserializing JSON into Java objects, Jackson supports the `@JsonView` annotation to control which fields are serialized or deserialized based on the active view context (e.g., a public API view vs. an admin view). This serves as a write-side authorization boundary, preventing sensitive fields from being populated from untrusted input under restricted views.
The flaw arises specifically with constructor parameters that are annotated with both `@JsonView(AdminView.class)` and @JsonUnwrapped. During deserialization, the normal property-based creator path correctly checks `prop.visibleInView(activeView)` to ensure the parameter is only populated when the active view matches the required view. However, the unwrapped-creator replay path—implemented in processUnwrappedCreatorProperties()—replays buffered JSON into creator parameters without performing this visibility check.
This means that if a constructor parameter is restricted to `AdminView` but the current active view is a more restrictive one (e.g., PublicView), the parameter is still populated from attacker-controlled JSON. An attacker can exploit this by sending crafted JSON that includes values for unwrapped creator parameters that should be hidden under the current view, effectively bypassing the authorization boundary.
The vulnerability affects Jackson-databind versions 2.21.0 through 2.21.3 and 3.0.0 through 3.1.3. It was patched in versions 2.21.4 (backport 721fa07, 5973) and 3.1.4 (5971, d633bc0). While the maintainer rates this as minor severity, the reporter considers it HIGH. It is classified under CWE-863 (Incorrect Authorization) and related to CWE-284 (Improper Access Control). The issue was discovered by Omkhar Arasaratnam (@omkhar).
DailyCVE Form:
Platform: …….
Jackson-databind
Version: ……..
2.21.0-2.21.3, 3.0.0-3.1.3
Vulnerability :……
View Authorization Bypass
Severity: …….
High
date: ……….
2026-06-23
Prediction: …….
Already Patched (2.21.4/3.1.4)
What Undercode Say:
Analytics from the Jackson team indicate that this issue was identified during a security review of the unwrapped property handling logic. The root cause was the inconsistent application of view checks between the standard creator path and the unwrapped replay path. The fix involved adding a `prop.visibleInView(activeView)` check within `processUnwrappedCreatorProperties()` to align behavior with the normal property-based creator path.
Check if your version is affected mvn dependency:tree | grep jackson-databind Verify the fix in source (2.21.4 backport) git tag --contains 721fa07 Verify the fix in source (3.1.4) git tag --contains d633bc0
// Vulnerable code path (simplified)
// UnwrappedPropertyHandler.processUnwrappedCreatorProperties()
// Replays buffered JSON without view check
// Patched code (2.21.4 / 3.1.4)
if (prop.visibleInView(activeView)) {
// Only then replay the buffered value
}
How Exploit:
An attacker can exploit this vulnerability by sending a JSON payload that includes values for unwrapped creator parameters that are annotated with a restricted @JsonView. For example, consider a class:
public class User {
@JsonView(AdminView.class)
@JsonUnwrapped
private AdminDetails adminDetails;
@JsonCreator
public User(@JsonProperty("adminDetails") @JsonView(AdminView.class) @JsonUnwrapped AdminDetails adminDetails) {
this.adminDetails = adminDetails;
}
}
If the active view is PublicView, the attacker can still set `adminDetails` via JSON because the unwrapped path bypasses the view check.
{
"adminDetails": {
"sensitiveField": "malicious_value"
}
}
This allows unauthorized modification of sensitive fields that should only be settable under an admin view.
Protection:
- Upgrade to Jackson-databind 2.21.4 or 3.1.4 (or later).
- If upgrading is not immediately possible, avoid using `@JsonUnwrapped` on constructor parameters that also use `@JsonView` for authorization.
- Validate input payloads at the application level to ensure sensitive fields are not present when a restrictive view is active.
- Monitor deserialization activities for unexpected field population.
Impact:
- Authorization Bypass: View-restricted unwrapped creator parameters can be set from untrusted input, undermining `@JsonView` as a write-side authorization boundary.
- Data Integrity: Attackers may inject values into sensitive fields that should remain hidden or immutable under the current view context.
- Security Control Evasion: Bypasses a key mechanism intended to prevent over-posting attacks in REST APIs.
- Affected Versions: All Jackson-databind 2.21.x (before 2.21.4) and 3.0.x–3.1.x (before 3.1.4).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
