CVE-2022-42004: Death by a Thousand Brackets in Jackson-databind
Vulnerability ID: CVE-2022-42004
CVSS Score: 7.5
Published: 2022-10-01
A high-severity Denial of Service vulnerability in the ubiquitous FasterXML jackson-databind library. By exploiting the UNWRAP_SINGLE_VALUE_ARRAYS feature with deeply nested JSON arrays, attackers can trigger a StackOverflowError, crashing JVMs with trivial payloads.
TL;DR
If you use Jackson to deserialize JSON and have UNWRAP_SINGLE_VALUE_ARRAYS enabled, a payload like [[[[...]]]] will crash your application via stack exhaustion. Update to 2.13.4 or disable the feature.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-674 (Uncontrolled Recursion)
- CVSS: 7.5 (High)
- Attack Vector: Network
- Availability Impact: High (Stack Exhaustion)
- Exploit Complexity: Low
- Authentication: None
Affected Systems
- Java applications using jackson-databind < 2.13.4
- Spring Boot applications (depend on Jackson)
- Microservices with UNWRAP_SINGLE_VALUE_ARRAYS enabled
-
jackson-databind: < 2.13.4 (Fixed in:
2.13.4) -
jackson-databind: 2.12.0 - 2.12.7 (Fixed in:
2.12.7.1)
Code Analysis
Commit: 0631835
Fix for CVE-2022-42004: add check to prevent nested arrays when UNWRAP_SINGLE_VALUE_ARRAYS is enabled
if (t == JsonToken.START_ARRAY) {
return (Object) ctxt.handleUnexpectedToken(_beanType, p);
}
Exploit Details
- GitHub: Original issue report with reproduction steps
Mitigation Strategies
- Upgrade jackson-databind to a patched version
- Disable UNWRAP_SINGLE_VALUE_ARRAYS if not strictly required
- Implement global recursion depth limits (Jackson 2.15+)
Remediation Steps:
- Identify dependency versions using
mvn dependency:treeorgradle dependencies. - Update
jackson-databindto 2.13.4, 2.12.7.1, or 2.14.0+. - Rebuild and deploy the application.
References
Read the full report for CVE-2022-42004 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)