CVE-2026-54514: jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

June 23, 2026

JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect.

References

github.com/FasterXML/jackson-databind/commit/1f5a1037b1e9e05920e755cb35f198bcd46667e4
github.com/FasterXML/jackson-databind/pull/5951
github.com/FasterXML/jackson-databind/security/advisories/GHSA-hgj6-7826-r7m5
github.com/advisories/GHSA-hgj6-7826-r7m5
nvd.nist.gov/vuln/detail/CVE-2026-54514

Code Behaviors & Features

Detect and mitigate CVE-2026-54514 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →