CVE-2020-25649
XML External Entity (XXE) vulnerability in com.fasterxml.jackson.core:jackson-databind

XML External Entity (XXE) No known exploit Fixable By Resolved Security

What is CVE-2020-25649 About?

This vulnerability in FasterXML Jackson Databind is an XML External Entity (XXE) flaw due to improper entity expansion handling. Attackers can exploit this to access sensitive files on the server, perform Denial of Service attacks, or launch server-side request forgery (SSRF). Exploitation is possible if the application processes untrusted XML input using the vulnerable library.

Affected Software

  • com.fasterxml.jackson.core:jackson-databind
    • >2.7.0.0, <2.9.10.7
    • >2.10.0.0, <2.10.5.1
    • >2.6.0, <2.6.7.4

Technical Details

The vulnerability exists in FasterXML Jackson Databind where it fails to properly secure against XML External Entity (XXE) attacks. This occurs because the library does not adequately restrict or disable external entity resolution when parsing XML data. An attacker can craft a malicious XML document containing an external entity declaration (e.g., using `<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>`). When Jackson Databind processes this XML, if external entities are enabled and not properly configured, the parser will attempt to resolve the external entity, incorporating its content into the parsed data. This can lead to information disclosure (e.g., reading local files), server-side request forgery (SSRF), or Denial of Service attacks (e.g., billion laughs attack).

What is the Impact of CVE-2020-25649?

Successful exploitation may allow attackers to access sensitive files, perform server-side request forgery, or launch denial of service attacks, compromising data integrity and confidentiality.

What is the Exploitability of CVE-2020-25649?

Exploitation of this XML External Entity (XXE) vulnerability typically requires a moderate level of complexity. An attacker must be able to submit specially crafted XML content to an application that deserializes or parses XML using the vulnerable FasterXML Jackson Databind library. Prerequisites include the application exposing an endpoint or functionality that accepts XML input from untrusted sources. Authentication requirements depend on whether the XML processing endpoint is accessible to unauthenticated users. Privilege requirements are generally related to what the application process has access to on the underlying system. This is primarily a remote exploitation scenario, targeting web services or APIs that handle XML data. The risk is significantly increased in applications that process XML from external sources without explicit disabling of DTDs or external entity resolution.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2020-25649?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch mitigates CVE-2020-25649 by explicitly configuring the XML parser to disallow DOCTYPE declarations and prevent loading of external DTDs, which blocks XML External Entity (XXE) attacks. This prevents attackers from crafting malicious XML that could otherwise lead to data exposure or remote code execution.

Available Upgrade Options

  • com.fasterxml.jackson.core:jackson-databind
    • >2.6.0, <2.6.7.4 → Upgrade to 2.6.7.4
  • com.fasterxml.jackson.core:jackson-databind
    • >2.7.0.0, <2.9.10.7 → Upgrade to 2.9.10.7
  • com.fasterxml.jackson.core:jackson-databind
    • >2.10.0.0, <2.10.5.1 → Upgrade to 2.10.5.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-25649?

Similar Vulnerabilities: CVE-2021-29425 , CVE-2021-27568 , CVE-2020-29489 , CVE-2019-12384 , CVE-2018-1000613

All Rights reserved 2025
Privacy Policy