CVE-2018-7489

CRITICAL

jackson-databind < 2.7.9.3, 2.8.0-2.8.11.1, < 2.9.5 - Remote Code Execution via Deserialization Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-7489. PoCs published by dawetmaster, andikahilmy, tafamace.

AI-analyzed exploit summary This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2018-7489, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Description

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Exploits (3)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-7489-jackson-databind-vulnerable

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2018-7489, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind 2.9.0
No auth needed
Prerequisites: Java environment · Jackson Databind 2.9.0 dependency
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-7489-jackson-databind-vulnerable

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2018-7489, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the vulnerability.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Jackson Databind 2.9.0
No auth needed
Prerequisites: Java environment · Vulnerable Jackson Databind library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2018-7489

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality for CVE-2018-7489. It lacks any offensive techniques or vulnerability-specific logic.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (28)

Core 28
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103203
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1448
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1449
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2938
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1450
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2090
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2939
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041890
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040693
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1786
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1451
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4190
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1447
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2088
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2089
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2858
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3149
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180328-0001/
Third Party Advisory x_refsource_confirm
https://github.com/FasterXML/jackson-databind/issues/1931

Scores

CVSS v3 9.8
EPSS 0.3621
EPSS Percentile 97.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-184 CWE-502
Status published
Products (9)
com.fasterxml.jackson.core/jackson-databind 2.8.0 - 2.8.11.1Maven
debian/debian_linux 8.0
debian/debian_linux 9.0
fasterxml/jackson-databind < 2.7.9.3
oracle/communications_billing_and_revenue_management 7.5
oracle/communications_billing_and_revenue_management 12.0
oracle/communications_instant_messaging_server 10.0.1
redhat/jboss_enterprise_application_platform 6.4.19
redhat/jboss_enterprise_application_platform 7.1.2
Published Feb 26, 2018
Tracked Since Feb 18, 2026