jackson-databind has a @JsonView bypass for unwrapped creator parameters
Moderate severity
GitHub Reviewed
Published
Jun 16, 2026
in
FasterXML/jackson-databind
•
Updated Jun 23, 2026
Description
Published to the GitHub Advisory Database
Jun 23, 2026
Reviewed
Jun 23, 2026
Last updated
Jun 23, 2026
Summary
UnwrappedPropertyHandler.processUnwrappedCreatorProperties()replays buffered JSON into creator parameters but never consultsprop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both@JsonView(AdminView.class)and@JsonUnwrappedis populated from attacker JSON even when a more restrictive view is active.Impact
View-restricted unwrapped creator parameters can be set from untrusted input where
@JsonViewis used as a write-side authorization boundary.Affected / Patched (verified via
git tag --contains)>= 2.21.0, < 2.21.4-> fixed in 2.21.4 (backport721fa07, #5973)>= 3.0.0, < 3.1.4-> fixed in 3.1.4 (#5971,d633bc0)Severity / CWE
Maintainer: minor. Reporter: HIGH. CWE-863 (Incorrect Authorization); related CWE-284.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
References