Remote code execution in FasterXML jackson-databind

Published: 2017-12-12
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-17485
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Universal components / Libraries / Libraries used by multiple products

Vendor FasterXML

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Deserialization of untrusted data

EUVDB-ID: #VU10257

Risk: High


CVE-ID: CVE-2017-17485

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the FasterXML jackson-databind library due to improper validation of user-input handled by the readValue method of the ObjectMapper object. A remote attacker can send malicious input to the vulnerable method of a web application that uses the Spring library in the application's classpath and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.


The vulnerability is addressed in the following versions: and 2.8.11.

Vulnerable software versions

jackson-databind: 2.8.0 - 2.8.10, 2.7.9 -, 2.9.0 - 2.9.3

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?