CVE-2019-12086

Exploitation Summary

EIP tracks 4 public exploits for CVE-2019-12086. PoCs published by Al1ex, motoyasu-saburi, dawetmaster.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-12086, a deserialization vulnerability in Jackson. The PoC demonstrates how an attacker can craft a malicious JSON payload to trigger an LDAP or JDBC connection to a rogue server, leading to information leakage or remote code execution.

Description

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Exploits (4)

nomisec WORKING POC 1 stars

by Al1ex · poc

https://github.com/Al1ex/CVE-2019-12086

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-12086, a deserialization vulnerability in Jackson. The PoC demonstrates how an attacker can craft a malicious JSON payload to trigger an LDAP or JDBC connection to a rogue server, leading to information leakage or remote code execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson (FasterXML)

No auth needed

Prerequisites: Target application must be using a vulnerable version of Jackson with default typing enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by motoyasu-saburi · poc

https://github.com/motoyasu-saburi/CVE-2019-12086-jackson-databind-file-read

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2019-12086, demonstrating arbitrary file read via Jackson Databind deserialization with MySQL JDBC connector. The exploit leverages polymorphic typing to trigger a connection to a malicious MySQL server, which then exfiltrates local files.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: FasterXML jackson-databind < 2.9.9 with mysql-connector-java < 8.0.15

No auth needed

Prerequisites: Default Typing enabled in Jackson · mysql-connector-java < 8.0.15 in classpath · Network access to attacker-controlled MySQL server

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2019-12086-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of Jackson Databind (2.9.0) that is susceptible to CVE-2019-12086, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson Databind 2.9.0

No auth needed

Prerequisites: Java environment · vulnerable Jackson Databind version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2019-12086-jackson-databind-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of Jackson Databind (2.9.0) that demonstrates CVE-2019-12086, a deserialization vulnerability. The included source code and build configuration allow for testing and exploitation of the flaw.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Jackson Databind 2.9.0

No auth needed

Prerequisites: Java environment · Vulnerable Jackson Databind version (2.9.0)

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (41)

Core 41

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2%40%3Creviews.spark.apache.org%3E

Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4452

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/May/68

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/109227

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/