CVE-2020-36518

HIGH

jackson-databind < 2.13.0 - Denial of Service via Nested Object Depth

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-36518. PoCs published by dawetmaster, andikahilmy, ghillert.

AI-analyzed exploit summary The repository contains a partial copy of the Jackson Databind library but lacks any exploit code or technical analysis related to CVE-2020-36518. The README is a generic description of the library, and the included files are standard library components without modifications or PoC code.

Description

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Exploits (3)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2020-36518-jackson-databind-vulnerable

The repository contains a partial copy of the Jackson Databind library but lacks any exploit code or technical analysis related to CVE-2020-36518. The README is a generic description of the library, and the included files are standard library components without modifications or PoC code.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: Jackson Databind (version not specified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2020-36518-jackson-databind-vulnerable

The repository contains a partial snapshot of the Jackson Databind library but lacks any exploit code or technical analysis related to CVE-2020-36518. It appears to be a placeholder or incomplete project.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: Jackson Databind (version not specified)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by ghillert · poc
https://github.com/ghillert/boot-jackson-cve

This repository contains a minimal Spring Boot application that demonstrates the presence of a vulnerable dependency (jackson-databind-2.12.6.jar) flagged by OWASP Dependency-Check for CVE-2020-36518. However, it does not include functional exploit code or a technical analysis of the vulnerability.

Classification
Stub 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Theoretical
Target: jackson-databind 2.12.6
No auth needed
Prerequisites: Presence of vulnerable jackson-databind version in the target application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5283
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
Issue Tracking, Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2816

Scores

CVSS v3 7.5
EPSS 0.0486
EPSS Percentile 90.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-787
Status published
Products (48)
com.fasterxml.jackson.core/jackson-databind 2.13.0 - 2.13.2.1Maven
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fasterxml/jackson-databind < 2.12.6.1
netapp/active_iq_unified_manager (3 CPE variants)
netapp/cloud_insights_acquisition_unit
netapp/oncommand_insight
netapp/oncommand_workflow_automation
netapp/snap_creator_framework
... and 38 more
Published Mar 11, 2022
Tracked Since Feb 18, 2026