jackson Archives - Don't Panic!

Exploiting deserialization vulnerabilities

Published on January 1, 2026

Object deserialization is the cause of some of the most serious vulnerabilities in Java. Object deserialization is baked into the language and has been available since version 1. Many libraries and frameworks use it to copy state and other data across JVMs. As a result, it’s unlikely ever to be removed from Java. Most ‘fixes’ to known vulnerabilities are little more than simple allow / block listing and new bypasses for previous fixes are discovered all the time.

Many techniques for exploiting deserialization vulnerabilities rely on code present in third party libraries and do not require any specific first party application code.

Large JSON responses with Jackson

Published on February 1, 2025

Jackson is the standard Object to JSON mapping library for Java. It converts POJOs to JSON strings and it parses JSON strings to populate POJOs. It sits behind many JSON based REST servers in Java including Spring MVC. For basic use cases it is very simple to use. Indeed, with Spring Boot it is completely transparent – the framework leverages Jackson to do Object to JSON mapping for you. It’s feature rich and extensible so it can usually handle more complex use cases too. One such use case is returning large JSON responses with Jackson.

RestTemplateBuilder and @RestClientTest in Spring Boot 1.4.0

Published on July 16, 2016

Spring Boot 1.4.0 is now available. Among the enhancements are new mechanisms to build and test RestTemplates used to make calls to RESTful web services.

Tag: jackson

Exploiting deserialization vulnerabilities

Large JSON responses with Jackson

RestTemplateBuilder and @RestClientTest in Spring Boot 1.4.0