The jackson-databind library's JDKFromStringDeserializer constructed InetSocketAddress instances using new InetSocketAddress(host, port), which performs immediate DNS resolution during JSON deserialization. This behavior allows an attacker to cause the application to issue arbitrary DNS queries if untrusted JSON input is bound to a type containing an InetSocketAddress field. The vulnerability affects all versions from 2.0.0 until 2.18.8, 2.21.4, and 3.1.4. The fix replaces the constructor call with InetSocketAddress.createUnresolved(host, port), deferring DNS resolution until an explicit connect call, thus preventing premature DNS queries during deserialization.

An attacker can cause the application to perform DNS lookups controlled by the attacker during JSON deserialization, potentially leaking internal network information or causing side effects related to DNS resolution. There is no direct impact on confidentiality, integrity, or availability beyond the DNS query side effect. The CVSS score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and limited impact (confidentiality loss only).

A fix is available in jackson-databind versions 2.18.8, 2.21.4, and 3.1.4. Users should upgrade to one of these versions or later to remediate this vulnerability. Since no official remediation level is provided, users should verify the upgrade status with the vendor advisory or official project repository. Until patched, avoid deserializing untrusted JSON into types containing InetSocketAddress fields or implement strict input validation to prevent attacker-controlled hostnames.