Java code that deserializes JSON strings from untrusted sources can be vulnerable to a variety of attacks, including remote command execution (RCE), denial of service (DoS) and others.

References

Deserialization
CWE-502: Deserialization of Untrusted Data
On Jackson CVEs: Don’t Panic - Here is what you need to know
Class ObjectMapper
CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection

MEDIUM

Java : Unsafe JSON deserialization (Jackson)

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Java : Unsafe JSON deserialization (Jackson) in your application?

See also

Java : Race condition

Java : Text4Shell Vulnerability

Java : JNI usage