CVE-2026-54514

描述

## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAddress` field issues an attacker-chosen DNS query during `readValue`, before any application-level validation or connect logic. The fix uses `InetSocketAddress.createUnresolved(host, port)`, deferring DNS to an explicit connect. ## Impact An attacker controlling JSON deserialized into an `InetSocketAddress`-bearing type can force outbound DNS lookups for attacker-chosen hostnames at deserialization time (SSRF / DNS-based out-of-band interaction / internal-resolver probing), purely from binding. ## Affected / Patched (verified via `git tag --contains` on `1f5a103`) - 2.18 line: `>= 2.18.0, < 2.18.8` -> fixed in **2.18.8** - 2.19-2.21 line: `>= 2.19.0, < 2.21.4` -> fixed in **2.21.4** - 3.x line: `>= 3.0.0, < 3.1.4` -> fixed in **3.1.4** ## Severity / CWE Maintainer: minor. Reporter: LOW. CWE-918 (SSRF). ## Upstream fix FasterXML/jackson-databind#5951 ("Improve InetSocketAddress deserialization"). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4. ## Credits Omkhar Arasaratnam (@omkhar) - finder.

如何修補 CVE-2026-54514

要修補 CVE-2026-54514,請將受影響套件升級到下列已修補版本。

• —升級至 2.18.8 或更新版本
• —升級至 2.21.4 或更新版本

CVE-2026-54514 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-54514 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(2)

• >= 2.0.0, < 2.18.8
• >= 2.19.0, < 2.21.4

CVSS 分數

參考連結(4)

• PATCHgithub.com/FasterXML/jackson-databind
• WEBgithub.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4
• WEBgithub.com/FasterXML/jackson-databind/pull/5951
• WEBgithub.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5