CVE-2017-7525

CRITICAL

jackson-databind <2.6.7.1, <2.7.9.1, <2.8.9 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2017-7525. PoCs published by SecureSkyTechnology, JavanXD, Ingenuity-Fainting-Goats.

AI-analyzed exploit summary This repository is a detailed writeup and analysis of CVE-2017-7525 and CVE-2017-15095, focusing on the deserialization vulnerabilities in Jackson-databind and their impact on Apache Struts2. It includes explanatory code snippets and references to related CVEs and fixes.

Description

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Exploits (6)

nomisec WRITEUP 107 stars
by SecureSkyTechnology · poc
https://github.com/SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095

This repository is a detailed writeup and analysis of CVE-2017-7525 and CVE-2017-15095, focusing on the deserialization vulnerabilities in Jackson-databind and their impact on Apache Struts2. It includes explanatory code snippets and references to related CVEs and fixes.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Apache Struts2 (REST plugin), Jackson-databind
No auth needed
Prerequisites: Apache Struts2 with vulnerable REST plugin · Jackson-databind version < 2.8.9
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 18 stars
by JavanXD · poc
https://github.com/JavanXD/Demo-Exploit-Jackson-RCE

This repository demonstrates a working exploit for CVE-2017-7525, a Jackson-databind deserialization vulnerability. It includes a Spring Boot backend and Angular frontend to test attack vectors like file uploads and form submissions.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson-databind (versions affected by CVE-2017-7525)
No auth needed
Prerequisites: Vulnerable Jackson-databind library in the target application · Ability to send crafted JSON payloads to the target endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by Ingenuity-Fainting-Goats · poc
https://github.com/Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab

This repository contains a Java-based lab demonstrating CVE-2017-7525, a Jackson deserialization vulnerability leading to RCE. It includes a vulnerable REST API and payload generation utilities.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind 2.2.2 with Java < 8u45
No auth needed
Prerequisites: Java < 8u45 · Maven dependencies (jackson-databind 2.2.2, commons-collections 3.1, spring-context-support 4.3.11)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dannners · poc
https://github.com/Dannners/jackson-deserialization-2017-7525

This PoC demonstrates a deserialization vulnerability in Jackson (CVE-2017-7525) by enabling default typing and reading a malicious payload from a file. The exploit leverages unsafe deserialization to achieve arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind (versions affected by CVE-2017-7525)
No auth needed
Prerequisites: Jackson Databind with default typing enabled · Ability to provide a malicious serialized payload file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by jjp13t3rs · poc
https://gitlab.com/jjp13t3rs/jackson_deserialization_vuln

This repository contains a functional exploit for CVE-2017-7525, a deserialization vulnerability in Jackson Databind. It leverages the TemplatesImpl gadget to execute arbitrary code via crafted JSON input, with a provided test file to automate payload generation and execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind (versions before 2.6.7.1, 2.7.9.1, and 2.8.9)
No auth needed
Prerequisites: Java environment · vulnerable Jackson Databind version · ability to send crafted JSON input to the target application
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by Nazicc · poc
https://github.com/Nazicc/S2-055

This is a working proof-of-concept exploit for CVE-2017-7525, a deserialization vulnerability in Apache Struts2 REST plugin. The exploit uses a malicious serialized object to execute arbitrary commands (e.g., 'calc') via the Xalan XSLT library.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Struts 2.5 - 2.5.12
No auth needed
Prerequisites: Vulnerable Struts2 REST plugin endpoint · Ability to send crafted JSON payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (60)

Core 60
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040360
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1840
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2547
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1836
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1835
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039744
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039947
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2635
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2638
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3458
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0294
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1837
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1834
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2546
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2636
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3455
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2477
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3456
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0342
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1839
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99623
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2637
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3454
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-4004
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3141
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2633
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0910
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2858
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3149
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/1723
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/1599
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1462702
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20171214-0002/
Third Party Advisory x_refsource_confirm
https://cwiki.apache.org/confluence/display/WW/S2-055

Scores

CVSS v3 9.8
EPSS 0.8215
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-184 CWE-502
Status published
Products (43)
com.fasterxml.jackson.core/jackson-databind 0 - 2.6.7.1Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
fasterxml/jackson-databind 2.9.0 prerelease1 (2 CPE variants)
fasterxml/jackson-databind < 2.6.7.1
netapp/oncommand_balance
netapp/oncommand_performance_manager (2 CPE variants)
netapp/oncommand_shift
netapp/snapcenter
oracle/banking_platform 2.5.0
... and 33 more
Published Feb 06, 2018
Tracked Since Feb 18, 2026