Summary
BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.
Impact
Applications using BasicPolymorphicTypeValidator with allowIfSubTypeIsArray() as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.
Affected / Patched (verified via git tag --contains)
- 2.18 line:
>= 2.10.0, < 2.18.8 -> fixed in 2.18.8
- 2.19-2.21 line:
>= 2.19.0, < 2.21.4 -> fixed in 2.21.4
- 3.x line:
>= 3.0.0, < 3.1.4 -> fixed in 3.1.4
PolymorphicTypeValidator was added in 2.10.0 so vulnerability N/A for versions prior to that.
Severity / CWE
Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.
Upstream fix
FasterXML/jackson-databind#5981; fix PR #5983 (24529da), 2.18 backport PR #5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.
Credits
Omkhar Arasaratnam (@omkhar) - finder.
References
Summary
BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()allowlists any array type based only onclazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built withallowIfSubTypeIsArray()plus an explicit concrete-type allowlist therefore still permitsEvilType[]even thoughEvilTypeis not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist.Impact
Applications using
BasicPolymorphicTypeValidatorwithallowIfSubTypeIsArray()as a safeguard get no protection for concrete array component types; an attacker controlling JSON can instantiate non-allowlisted types via an array wrapper, re-opening the gadget-instantiation risk PTV is meant to prevent.Affected / Patched (verified via
git tag --contains)>= 2.10.0, < 2.18.8-> fixed in 2.18.8>= 2.19.0, < 2.21.4-> fixed in 2.21.4>= 3.0.0, < 3.1.4-> fixed in 3.1.4PolymorphicTypeValidatorwas added in 2.10.0 so vulnerability N/A for versions prior to that.Severity / CWE
Maintainer: significant. Reporter: HIGH. CWE-184 (Incomplete List of Disallowed Inputs); related CWE-502.
Upstream fix
FasterXML/jackson-databind#5981; fix PR #5983 (
24529da), 2.18 backport PR #5984 (01d1692). Released 2026-06-04 in 2.18.8 / 2.21.4 / 3.1.4.Credits
Omkhar Arasaratnam (@omkhar) - finder.
References