CVE-2026-54516: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-54516 is an authorization bypass vulnerability in FasterXML jackson-databind, described as "Renamed @JsonIgnore'd setters can deserialize via private fields." It affects com.fasterxml.jackson.core:jackson-databind versions >= 2.21.0 and < 2.21.4, and tools.jackson.core:jackson-databind versions >= 3.0.0 and < 3.1.4. The vulnerability was discovered by Omkhar Arasaratnam (@omkhar), fixed internally on May 6, 2026, and publicly disclosed via GitHub Security Advisory on June 23, 2026. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory).

The root cause is classified as CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The flaw resides in POJOPropertiesCollector._renameProperties(): when a POJO property has @JsonProperty("renamed") on its getter and @JsonIgnore on its setter, the property is renamed rather than dropped as intended. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (the default), the private backing field is retained in the property descriptor. During deserialization, BeanDeserializerFactory.addBeanProps() detects hasField()==true, constructs a FieldProperty, and makes the backing field writable — allowing an attacker to supply the renamed JSON key and write directly to the private field, bypassing the @JsonIgnore annotation on the setter. The fix adds a prop.removeFields() call in _renameProperties() to strip inferred non-visible field mutators when the setter is ignored (GitHub Advisory, Fix PR #5967).

Successful exploitation enables an unauthenticated, network-accessible attacker to write arbitrary values to private backing fields of Java objects that were intended to be read-only (serialization-only). This constitutes property tampering or mass assignment, allowing attacker-controlled data to silently populate fields that application logic assumes cannot be set via deserialization. The advisory explicitly notes this is not a general gadget chain and does not enable remote code execution; the integrity impact is low and there is no confidentiality or availability impact (GitHub Advisory).

1. Identify target application: Locate a Java application that uses jackson-databind 2.21.0–2.21.3 or 3.0.0–3.1.3 and accepts JSON input for deserialization into POJOs.
2. Identify vulnerable POJO pattern: Inspect the application's data model (via source code review, API documentation, or fuzzing) for classes where a getter carries @JsonProperty("renamedKey") and the corresponding setter carries @JsonIgnore, creating a field intended to be read-only over the wire.
3. Craft malicious JSON payload: Construct a JSON request body containing the renamed property key (e.g., {"renamedProp": "attacker-controlled-value"}) that the application would normally reject or ignore during deserialization.
4. Submit payload: Send the crafted JSON to the application endpoint that deserializes the target POJO (e.g., via HTTP POST to a REST API).
5. Achieve field write: Due to the vulnerability, jackson-databind builds a FieldProperty for the private backing field and writes the attacker-supplied value directly, bypassing the @JsonIgnore protection — resulting in the private field being set to the attacker's value without going through the ignored setter (GitHub Advisory, Fix PR #5967).

Upgrade jackson-databind to version 2.21.4 (for the 2.21.x branch) or 3.1.4 (for the 3.x branch), which contain the fix via prop.removeFields() in POJOPropertiesCollector._renameProperties(). As a temporary workaround, disable MapperFeature.INFER_PROPERTY_MUTATORS on your ObjectMapper if feasible for your application, which prevents the inferred field mutator from being retained. Apache Spark users should note that the Spark project has already issued a dependency upgrade to jackson 2.21.4 (SPARK-57273) (GitHub Advisory, Fix PR #5967, Backport PR #5968).

The vulnerability was reported by Omkhar Arasaratnam and fixed by the jackson-databind maintainer (cowtowncoder), who characterized the severity as "minor" while the reporter assessed it as "HIGH" — the published CVSS score of 5.3 (Medium) reflects a middle ground. The fix was merged on May 6, 2026, and the advisory was published on June 23, 2026, following a coordinated disclosure period. The vulnerability received routine coverage from CVE aggregation services and was noted in the Bluesky CVE feed, but has not generated significant broader security community discussion (GitHub Advisory).