CVE-2026-54515: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-54515 is a property-filter bypass vulnerability in FasterXML jackson-databind where case-insensitive deserialization silently restores fields that were explicitly excluded via per-property @JsonIgnoreProperties annotations, enabling mass-assignment-style writes from untrusted JSON. It affects com.fasterxml.jackson.core:jackson-databind versions >= 2.8.0 < 2.18.9, >= 2.19.0 < 2.21.5, and tools.jackson.core:jackson-databind versions >= 3.1.0 < 3.1.4. The issue was reported by Omkhar Arasaratnam, opened internally on May 6, 2026, and the advisory was published on June 16–23, 2026. It carries a CVSS v3.1 base score of 5.3 (Medium) (Github Advisory, FasterXML Advisory).

The root cause (CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes) lies in BeanDeserializerBase.createContextual(). When _handleByNameInclusion() processes per-property @JsonIgnoreProperties, it produces a contextual deserializer with a filtered BeanPropertyMap that excludes the ignored fields. However, the subsequent code block that handles @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) incorrectly reads from this._beanProperties (the original, unfiltered map) rather than contextual._beanProperties (the filtered map), then overwrites the contextual map with the rebuilt unfiltered version — effectively restoring every property that _handleByNameInclusion() had removed (FasterXML Advisory, Fix Commit). Exploitation requires no authentication and no special privileges — an attacker simply submits a JSON payload containing the ignored property name (in any case variant) to an endpoint that deserializes into a class configured with both annotations. The one-line fix changes BeanPropertyMap propsOrig = _beanProperties to BeanPropertyMap propsOrig = contextual._beanProperties (Fix PR #5964).

Successful exploitation allows an unauthenticated remote attacker to write to object fields that application developers explicitly marked as non-writable via @JsonIgnoreProperties, a mass-assignment-style integrity violation. There is no confidentiality or availability impact; the sole consequence is low-integrity data tampering — for example, setting privileged fields such as adminKey, role, or isAdmin that the application assumed could never be populated from user-supplied JSON (Github Advisory). The practical severity depends heavily on what the ignored properties control: in security-sensitive contexts (e.g., privilege escalation via role fields), the business impact can far exceed the CVSS score suggests (FasterXML Advisory).

1. Identify target: Locate a Java application using jackson-databind >= 2.8.0 < 2.18.9, >= 2.19.0 < 2.21.5, or >= 3.1.0 < 3.1.4 that exposes a JSON deserialization endpoint.
2. Identify vulnerable class configuration: Determine (via source code review, API documentation, or fuzzing) that the target deserializes into a class or field annotated with both @JsonIgnoreProperties("<fieldName>") and @JsonFormat(with = JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES).
3. Craft malicious payload: Construct a JSON body that includes the ignored property name, optionally using mixed case to leverage the case-insensitive matching (e.g., {"admin":{"adminKey":"ATTACKER_VALUE","username":"alice"}} or {"admin":{"AdminKey":"ATTACKER_VALUE","username":"alice"}}).
4. Submit payload: Send the crafted JSON to the target endpoint via HTTP POST (or equivalent), with appropriate Content-Type: application/json header.
5. Verify bypass: Confirm that the application accepted and applied the value to the supposedly ignored field, indicating the @JsonIgnoreProperties exclusion was bypassed (FasterXML Advisory, Fix Commit).

• Logs: Application logs showing unexpected values in fields that should be read-only or defaulted (e.g., privilege-related fields like adminKey, role, isAdmin populated from user input).
• Network: HTTP requests containing JSON bodies with property names matching fields annotated with @JsonIgnoreProperties, particularly in mixed-case variants (e.g., AdminKey, ADMINKEY, adminkey) targeting deserialization endpoints.
• Application Behavior: Unexpected privilege escalation or data integrity anomalies in objects deserialized from user-supplied JSON, where protected fields have been overwritten with attacker-controlled values.

Upgrade jackson-databind to a patched version: 2.18.9, 2.21.5, or 3.1.4 (for the tools.jackson.core artifact). The fix ensures the case-insensitive BeanPropertyMap rebuild sources from the already-filtered contextual map rather than the original unfiltered map (FasterXML Advisory, Fix Commit). If immediate patching is not feasible, audit all classes that combine @JsonIgnoreProperties with @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES) and consider disabling case-insensitive deserialization on those fields if it is not functionally required.

The vulnerability was discovered and reported by Omkhar Arasaratnam, who also contributed the fix. During the PR review phase, community member bentmann noted that Jackson 2.21.4 also appeared affected despite the initial advisory scoping, prompting the maintainer (cowtowncoder) to acknowledge the broader impact and backport the fix to the 2.18 branch (PR #6039). Sonatype flagged the issue independently, corroborating the broader version impact (Fix PR #5964).