Using unsafe Jackson deserialization configuration is security-sensitive. It has led in the past to the following vulnerabilities:

When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.

This rule raises an issue when:

Ask Yourself Whether

You may be at risk if you answered yes to these questions.

Recommended Secure Coding Practices

Sensitive Code Example

ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); // Sensitive
@JsonTypeInfo(use = Id.CLASS) // Sensitive
abstract class PhoneNumber {
}

See