CVE-2025-49128: Information Disclosure vulnerability in jackson-core (Maven)

What is CVE-2025-49128 About?

A flaw in Jackson-core's `JsonLocation._appendSourceDesc` method (up to version 2.12.x) can leak up to 500 bytes of unintended memory content in exception messages. This occurs when parsing JSON from byte arrays with offsets, as the error message incorrectly reads from the buffer's start instead of the logical payload. This issue could lead to sensitive information disclosure, particularly in systems using pooled or reused buffers.

Affected Software

com.fasterxml.jackson.core:jackson-core >2.0.0, <2.13.0

Technical Details

The vulnerability originates in the JsonLocation._appendSourceDesc method within Jackson-core, specifically when JsonFactory.createParser(byte[] data, int offset, int len) is used. If an error occurs during parsing, the method intended to include a snippet from the specified logical payload within the exception message. However, the _appendSourceDesc implementation incorrectly ignores the provided offset parameter and always starts reading from index 0 of the byte array. If the byte array is a pooled or reused buffer (common in frameworks like Netty), it may contain residual sensitive data from previous requests. Consequently, this sensitive data from earlier operations (up to 500 bytes) can be inadvertently included in the JsonParseException message and potentially exposed to an attacker if the exception is propagated to the client.

What is the Impact of CVE-2025-49128?

Successful exploitation may allow attackers to retrieve sensitive data such as credentials, session tokens, or other confidential information from memory, leading to unauthorized access, data breaches, or further compromise of the system.

What is the Exploitability of CVE-2025-49128?

Exploitation requires sending malformed JSON data to an application using Jackson for parsing, specifically one that utilizes JsonFactory.createParser(byte[], int, int) with INCLUDE_SOURCE_IN_LOCATION enabled. This is a remote vulnerability and requires no authentication or special privileges. The attacker needs to craft JSON that will cause a parsing error and then observe if the resulting exception message, particularly an HTTP 400 response, contains leaked data. The likelihood of exploitation is significantly increased in environments using pooled or reused byte buffers (e.g., Netty) where sensitive data might linger in memory, and where exception details are not properly sanitized before being returned to clients.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2025-49128?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

This patch mitigates CVE-2025-49128 by refactoring how content/source references are represented in location-tracking code, ensuring that offsets and content bounds are explicitly and correctly enforced in error messages and context descriptions. By replacing the generic source reference with the new ContentReference abstraction and always respecting declared offsets and lengths, it prevents information leakage or inaccurate content exposure when parsing only a subsection of a larger input buffer, thereby blocking attackers from manipulating error handling to reveal or confuse content data.

Available Upgrade Options

com.fasterxml.jackson.core:jackson-core
- >2.0.0, <2.13.0 → Upgrade to 2.13.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-49128?

Similar Vulnerabilities: CVE-2021-22145 , CVE-2020-25649 , CVE-2020-8840 , CVE-2018-1000613 , CVE-2023-35640

CVE-2025-49128 Information Disclosure vulnerability in jackson-core (Maven)