DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-72HV-8253-57QQ: Unchecked Numeric Lengths in Jackson Async Parser

#security #cve #cybersecurity #ghsa

Unchecked Numeric Lengths in Jackson Async Parser

Vulnerability ID: GHSA-72HV-8253-57QQ
CVSS Score: 7.5
Published: 2026-02-28

A significant oversight in the FasterXML jackson-core library's non-blocking (asynchronous) JSON parser allows for the bypass of StreamReadConstraints, specifically regarding numeric value lengths. While the standard blocking parser correctly enforces these limits to prevent Denial of Service (DoS) attacks, the async implementation fails to validate the length of incoming integer and floating-point values against the configured maximums. This discrepancy exposes applications using reactive stacks—such as Spring WebFlux, Vert.x, or Micronaut—to resource exhaustion attacks where specially crafted JSON payloads can trigger excessive memory allocation or CPU consumption.

TL;DR

The non-blocking Jackson parser ignores maxNumberLength constraints, allowing attackers to send arbitrarily long numbers. This causes Denial of Service (DoS) in reactive Java applications via memory and CPU exhaustion.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Denial of Service (DoS)
  • Affected Component: NonBlockingUtf8JsonParserBase
  • Exploit Status: PoC Available

Affected Systems

  • Spring WebFlux Applications
  • Vert.x Applications
  • Micronaut Framework (Reactive mode)
  • Netty-based services using Jackson
  • Java applications using JsonFactory.createNonBlockingByteArrayParser
  • jackson-core: >= 2.15.0, < 2.15.4 (Fixed in: 2.15.4)
  • jackson-core: >= 2.16.0, < 2.16.2 (Fixed in: 2.16.2)

Exploit Details

  • GitHub Advisory: Advisory details describing the attack vector via large numeric tokens.

Mitigation Strategies

  • Update Jackson dependencies immediately.
  • Verify StreamReadConstraints configuration.
  • Implement WAF-level body size limits.

Remediation Steps:

  1. Identify all projects using jackson-core via dependency tree analysis (e.g., mvn dependency:tree).
  2. Upgrade jackson-core to version 2.15.4 (for 2.15.x users), 2.16.2 (for 2.16.x users), or 2.17.0+.
  3. If you explicitly configure JsonFactory, ensure StreamReadConstraints are enabled (they are by default in newer versions).
  4. Redeploy applications and monitor for JsonParseException which may indicate legitimate but large payloads being blocked.

References

Read the full report for GHSA-72HV-8253-57QQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)