Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.deserialization

Avoid enabling Jackson polymorphic deserialization

Jackson `ObjectMapper` should not call `enableDefaultTyping` or `activateDefaultTyping`, and `@JsonTypeInfo(use = Id.CLASS|MINIMAL_CLASS)` should not be applied without an allowlist.

#Metadata

Rule ID
java.security.unsafe-jackson-deserialization
Severity
critical
Confidence
0.88
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
deserialization, jackson, java, rules-catalog, security

#Why it matters

Polymorphic deserialization that encodes class names lets attacker-controlled payloads instantiate gadget chains and pivot to remote code execution.

#Remediation

Disable default typing, validate types with a strict subtype resolver, or replace `Id.CLASS` / `Id.MINIMAL_CLASS` with `Id.NAME` and a registered set of allowed subtypes.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.unsafe-jackson-deserialization.rule.yaml.

Back to directoryOpen rule in repository