A RCE vulnerability in the Jackson JSON library

Who should read this

All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability

It is possible perform a RCE attack using a crafted JSON payload, please read the linked issue for more details

Maximum security rating



Upgrade to Struts

Affected Software

Struts 2.5 - Struts 2.5.14


David Dillard < david dot dillard at veritas dot com> - Veritas Technologies Product Security Group

CVE Identifier

Related to CVE-2017-7525


A RCE vulnerability was detected in the latest Jackson JSON library, which was reported here. Upgrade com.fasterxml.jackson to version 2.9.2 to address CVE-2017-7525.


Upgrade to Apache Struts version Another solution is to manually upgrade Jackson dependencies in your project to not vulnerable versions, see this comment.

Backward compatibility

No backward incompatibility issues are expected.


Upgrade Jackson JSON library to the latest version.

  • No labels