BestHub
Sign in
Information Security 4 min read

How to Mitigate the Critical Jackson‑databind CVE‑2020‑24616 Vulnerability in Spring Boot

This article explains the high‑severity CVE‑2020‑24616 deserialization flaw in jackson‑databind, identifies affected Jackson and Spring Boot versions, and provides Maven‑based remediation steps such as version pinning, dependency exclusions, and dependencyManagement configuration to prevent remote code execution.

Java Architecture Diary
Java Architecture Diary
Java Architecture Diary
How to Mitigate the Critical Jackson‑databind CVE‑2020‑24616 Vulnerability in Spring Boot

Affected Versions

Jackson‑databind < 2.9.10.6

Affected Spring Boot Versions

Jackson is bundled with Spring Boot as the default JSON parser; any project that includes

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

and uses a Spring Boot version lower than 2.1.10 is vulnerable.

How to Fix

Because jackson‑databind is a core JSON library, excluding it from every dependency is impractical. Instead, you can either exclude the module where it is pulled in or enforce a safe version globally.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
    <exclusions>
        <exclusion>
            <artifactId>jackson-databind</artifactId>
            <groupId>com.fasterxml.jackson.core</groupId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>com.xkcoding.nacos</groupId>
    <artifactId>nacos-config</artifactId>
    <version>1.1.4</version>
    <exclusions>
        <exclusion>
            <artifactId>jackson-databind</artifactId>
            <groupId>com.fasterxml.jackson.core</groupId>
        </exclusion>
    </exclusions>
</dependency>

The simplest approach is to add a version definition in the root pom under <dependencyManagement>, which forces all transitive dependencies to use a safe jackson‑databind version.

<dependencyManagement>
  <dependencies>
    <dependency>
      <artifactId>jackson-databind</artifactId>
      <groupId>com.fasterxml.jackson.core</groupId>
      <version>2.9.10.6</version>
    </dependency>
  </dependencies>
</dependencyManagement>

Summary

There is no need to panic: the default pig4cloud configuration does not enable dynamic typing, and Spring Cache does not use jackson serialization. If your Redis setup relies on jackson serialization with a globally injected ObjectMapper, consider using a copy‑on‑write approach such as mica‑redis to avoid contaminating the global mapper.

References

pig4cloud: https://gitee.com/log4j/pig

spring cache: https://gitee.com/log4j/pig/pulls/63

mica‑redis: https://gitee.com/596392912/mica

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Spring BootSecurityJacksonDeserializationCVE-2020-24616
Java Architecture Diary
Written by

Java Architecture Diary

Committed to sharing original, high‑quality technical articles; no fluff or promotional content.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment