CVE-2026-54514: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-54514 is a Server-Side Request Forgery (SSRF) vulnerability in FasterXML jackson-databind caused by eager DNS resolution during InetSocketAddress deserialization. The JDKFromStringDeserializer class used new InetSocketAddress(host, port), which triggers an immediate DNS lookup for attacker-controlled hostnames at deserialization time — before any application-level validation or connection logic can execute. Affected versions span com.fasterxml.jackson.core:jackson-databind >= 2.0.0 < 2.18.8, >= 2.19.0 < 2.21.4, and >= 3.0.0 < 3.1.4. The vulnerability was discovered by Omkhar Arasaratnam (@omkhar), fixed on June 4, 2026, and publicly disclosed on June 16–23, 2026. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, FasterXML Advisory).

The root cause is classified as CWE-918 (Server-Side Request Forgery). The vulnerable code path in FromStringDeserializer.java called new InetSocketAddress(host, port), which the Java runtime resolves eagerly via DNS at construction time. When an application deserializes untrusted JSON containing a hostname in an InetSocketAddress-bearing field, the readValue() call triggers an outbound DNS query to an attacker-chosen hostname before any validation occurs. The fix, implemented in PR #5951 (commit 1f5a103), replaces this with InetSocketAddress.createUnresolved(host, port), deferring DNS resolution until an explicit network connect is made (FasterXML PR, Fix Commit).

An unauthenticated attacker who can supply malicious JSON to an application that deserializes InetSocketAddress fields can force the server to issue arbitrary DNS queries to attacker-controlled hostnames. This enables DNS-based out-of-band interaction (e.g., DNS exfiltration), internal resolver probing to map internal network topology, and potential information leakage about the application's network configuration. There is no integrity or availability impact; the confidentiality impact is limited to low-level network reconnaissance (GitHub Advisory).

1. Reconnaissance: Identify applications using a vulnerable version of jackson-databind (>= 2.0.0 < 2.18.8, >= 2.19.0 < 2.21.4, or >= 3.0.0 < 3.1.4) that accept JSON input and deserialize it into types containing InetSocketAddress fields.
2. Set up DNS monitoring: Configure an attacker-controlled DNS server or use an out-of-band interaction platform (e.g., Burp Collaborator, interactsh) to capture incoming DNS queries.
3. Craft malicious JSON: Construct a JSON payload with a hostname field pointing to the attacker-controlled domain, e.g., {"address": "attacker-controlled.example.com:1234"}.
4. Submit payload: Send the crafted JSON to the target application's API endpoint that deserializes the input into an InetSocketAddress-bearing type.
5. Observe DNS query: Confirm that the target server issues a DNS lookup for attacker-controlled.example.com upon calling readValue(), before any application validation runs — confirming the vulnerability and revealing the server's DNS resolver and potentially internal network details (FasterXML Advisory, FasterXML PR).

• Network: Unexpected outbound DNS queries from the application server to external or unusual hostnames, particularly those not associated with normal application operation; DNS queries originating from the JVM process to attacker-controlled domains.
• Logs: Application logs showing readValue() calls on JSON inputs containing hostname strings in InetSocketAddress fields; DNS resolver logs recording queries to unfamiliar external domains initiated by the application server.
• Process: Java process making DNS resolution calls at deserialization time rather than at connection time, observable via network monitoring tools (e.g., tcpdump, Wireshark) capturing DNS traffic from the application host.

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4, or 3.1.4 (or later), which replace the vulnerable new InetSocketAddress(host, port) call with InetSocketAddress.createUnresolved(host, port). As a workaround, implement input validation to restrict or sanitize hostname values in JSON before deserialization, or use Jackson deserialization filters to block or restrict InetSocketAddress types if they are not required by the application. Applications that do not deserialize untrusted JSON into types containing InetSocketAddress fields are not affected (GitHub Advisory, FasterXML PR).

The vulnerability was reported by Omkhar Arasaratnam and characterized by the jackson-databind maintainer (cowtowncoder) as "minor" in severity, while the reporter rated it "LOW." The fix was quietly merged in May 2026 and released in early June 2026 before the CVE was publicly disclosed in mid-June 2026. The disclosure triggered a wave of automated dependency update pull requests across numerous open-source projects (including Apache Spark, Grafana, and others), reflecting the widespread use of jackson-databind in the Java ecosystem (FasterXML Advisory, FasterXML PR).