Skip to content

Update dependency com.fasterxml.jackson.core:jackson-core to v2.15.0 [SECURITY] #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency com.fasterxml.jackson.core:jackson-core to v2.15.0 [SECURITY] #317

wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Jun 8, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
com.fasterxml.jackson.core:jackson-core 2.3.2 -> 2.15.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-49128

Overview

A flaw in Jackson-core's JsonLocation._appendSourceDesc method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x.

Details

The vulnerability affects the creation of exception messages like:

JsonParseException: Unexpected character ... at [Source: (byte[])...]

When JsonFactory.createParser(byte[] data, int offset, int len) is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method _appendSourceDesc ignores the offset, and always starts reading from index 0.

If the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.

The issue particularly impacts server applications using:

  • Pooled byte buffers (e.g., Netty)
  • Frameworks that surface parse errors in HTTP responses
  • Default Jackson settings (i.e., INCLUDE_SOURCE_IN_LOCATION is enabled)

A documented real-world example is CVE-2021-22145 in Elasticsearch, which stemmed from the same root cause.

Attack Scenario

An attacker sends malformed JSON to a service using Jackson and pooled byte buffers (e.g., Netty-based HTTP servers). If the server reuses a buffer and includes the parser’s exception in its HTTP 400 response, the attacker may receive residual data from previous requests.

Proof of Concept

byte[] buffer = new byte[1000];
System.arraycopy("SECRET".getBytes(), 0, buffer, 0, 6);
System.arraycopy("{ \"bad\": }".getBytes(), 0, buffer, 700, 10);

JsonFactory factory = new JsonFactory();
JsonParser parser = factory.createParser(buffer, 700, 20);
parser.nextToken(); // throws exception

// Exception message will include "SECRET"

Patches

This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #​652.

All users should upgrade to version 2.13.0 or later.

Workarounds

If upgrading is not immediately possible, applications can mitigate the issue by:

  1. Disabling exception message exposure to clients — avoid returning parsing exception messages in HTTP responses.

  2. Disabling source inclusion in exceptions by setting:

    jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);

    This prevents Jackson from embedding any source content in exception messages, avoiding leakage.

References

CVE-2025-52999

Impact

With older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large.

Patches

jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached.
jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.

Workarounds

Users should avoid parsing input files from untrusted sources.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-com.fasterxml.jackson.core-jackson-core-vulnerability branch from a6c9aa9 to 49bfdb1 Compare June 29, 2025 20:08
@renovate renovate bot changed the title Update dependency com.fasterxml.jackson.core:jackson-core to v2.13.0 [SECURITY] Update dependency com.fasterxml.jackson.core:jackson-core to v2.15.0 [SECURITY] Jun 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant