Jackson Unsafe Polymorphic Deserialization
Description
Jackson deserialization with unsafe base types or permissive polymorphic typing can lead to Remote Code Execution (RCE). Avoid using @JsonTypeInfo with Id.CLASS or Id.MINIMAL_CLASS on base types like Object, Serializable, etc., enableDefaultTyping, LaissezFaireSubTypeValidator, or activateDefaultTyping with overly permissive type matchers. Instead, use @JsonTypeInfo with Id.NAME, restrict deserialization to known-safe types, and enable MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES where supported.
Examples
Insecure Code
java
@JsonTypeInfo(use = Id.CLASS)
public class MyClass extends Object {
}Secure Code
java
@JsonTypeInfo(use = Id.NAME)
public class MyClass {
}Remediation
Use @JsonTypeInfo(use = Id.NAME) and restrict deserialization to known-safe types. Enable MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES where supported.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0111 |
| Category | Deserialization |
| Severity | MEDIUM |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | jackson, deserialization, RCE |
| OWASP | N/A |