CVE-2017-7525

CRITICAL

jackson-databind <2.6.7.1, <2.7.9.1, <2.8.9 - Code Injection

Title source: llm

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Exploits (7)

nomisec WRITEUP 107 stars
by SecureSkyTechnology · poc
https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095
nomisec WORKING POC 18 stars
by JavanXD · poc
https://github.com/JavanXD/Demo-Exploit-Jackson-RCE
nomisec WORKING POC 6 stars
by Ingenuity-Fainting-Goats · poc
https://github.com/Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab
nomisec WORKING POC 1 stars
by Dannners · poc
https://github.com/Dannners/jackson-deserialization-2017-7525
gitlab WORKING POC
by jjp13t3rs · poc
https://gitlab.com/jjp13t3rs/jackson_deserialization_vuln
nomisec WORKING POC
by Nazicc · poc
https://github.com/Nazicc/S2-055

References (60)

... and 40 more

Scores

CVSS v3 9.8
EPSS 0.7927
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-184 CWE-502
Status published
Products (43)
com.fasterxml.jackson.core/jackson-databind 0 - 2.6.7.1Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
fasterxml/jackson-databind 2.9.0 prerelease1 (2 CPE variants)
fasterxml/jackson-databind < 2.6.7.1
netapp/oncommand_balance
netapp/oncommand_performance_manager (2 CPE variants)
netapp/oncommand_shift
netapp/snapcenter
oracle/banking_platform 2.5.0
... and 33 more
Published Feb 06, 2018
Tracked Since Feb 18, 2026