Primary

Context

Spring Framework Unsafe Deserialization Vulnerability via Jackson JMS Converters

Vulnerability

Patched

A vulnerability exists in the Spring Framework within the Jackson JMS message converters, specifically in versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. In an untrusted JMS environment, these converters permit arbitrary class instantiation, potentially leading to unauthorized actions through gadget class deserialization.

Impact

Exploitation of this vulnerability could result in unsafe deserialization, allowing for arbitrary class instantiation and potentially leading to unauthorized actions within the application.

Remediation

Users in a trusted JMS environment do not need to take any action. For those in an untrusted JMS environment, it is recommended to upgrade to the fixed version and limit authorized packages for deserialization using the new 'setTrustedPackages' methods. The fixed versions are 7.0.8, 6.2.19, 6.1.28, and 5.3.49.

Added: Jun 9, 2026, 6:22 AM

Updated: Jun 9, 2026, 6:22 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

3.7

remediation

8.3

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

3.7

remediation

8.3

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Unsafe Deserialization Vulnerability via Jackson JMS Converters

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating