GHSA-72hv-8253-57qq
Denial of Service vulnerability in jackson-core (Maven)
What is GHSA-72hv-8253-57qq About?
The non-blocking JSON parser in `jackson-core` fails to enforce the `maxNumberLength` constraint, allowing attackers to submit JSON with arbitrarily long numbers. This leads to excessive memory and CPU consumption, causing a Denial of Service (DoS). The vulnerability is relatively easy to exploit by crafting a malicious JSON payload.
Affected Software
- tools.jackson.core:jackson-core
- >=2.19.0, <2.21.1
- >=2.0.0, <2.18.6
- >=3.0.0, <3.1.0
- com.fasterxml.jackson.core:jackson-core
- >=2.19.0, <2.21.1
- >=2.0.0, <2.18.6
- >=3.0.0, <3.1.0
Technical Details
The vulnerability stems from the asynchronous parsing path in NonBlockingUtf8JsonParserBase within jackson-core not invoking the necessary number length validation methods. Specifically, number parsing routines like _finishNumberIntegralPart accumulate digits into the TextBuffer without length checks. After parsing, _valueComplete() is called, which finalizes the token but bypasses resetInt() or resetFloat(). These reset methods in ParserBase are responsible for validateIntegerLength() and validateFPLength(), meaning the maxNumberLength constraint is never applied in the async code path, unlike its synchronous counterpart.
What is the Impact of GHSA-72hv-8253-57qq?
Successful exploitation may allow attackers to trigger memory exhaustion, leading to `OutOfMemoryError`, and CPU exhaustion due to expensive `BigInteger` parsing operations. This effectively renders the application or service unavailable, causing a Denial of Service.
What is the Exploitability of GHSA-72hv-8253-57qq?
Exploitation involves crafting a JSON payload containing an extremely long number and transmitting it to a target system utilizing the vulnerable asynchronous jackson-core parser. The complexity is low as it only requires sending a malformed JSON string that exploits the skipped validation logic. No prior authentication is needed as the vulnerability affects the parsing of incoming data. Remote access is required for an attacker to send the malicious JSON to the target application. The primary risk factor is any application that uses jackson-core's async parser to process untrusted JSON input, as an attacker can directly induce a DoS condition.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-72hv-8253-57qq?
Available Upgrade Options
- tools.jackson.core:jackson-core
- >=2.0.0, <2.18.6 → Upgrade to 2.18.6
- tools.jackson.core:jackson-core
- >=2.19.0, <2.21.1 → Upgrade to 2.21.1
- tools.jackson.core:jackson-core
- >=3.0.0, <3.1.0 → Upgrade to 3.1.0
- com.fasterxml.jackson.core:jackson-core
- >=2.0.0, <2.18.6 → Upgrade to 2.18.6
- com.fasterxml.jackson.core:jackson-core
- >=2.19.0, <2.21.1 → Upgrade to 2.21.1
- com.fasterxml.jackson.core:jackson-core
- >=3.0.0, <3.1.0 → Upgrade to 3.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-72hv-8253-57qq
- https://github.com/FasterXML/jackson-core/commit/a004e9789c2cc6b41b379d02d229d58474d9a738
- https://github.com/FasterXML/jackson-core/security/advisories/GHSA-72hv-8253-57qq
- https://github.com/FasterXML/jackson-core
- https://github.com/FasterXML/jackson-core/issues/1538
What are Similar Vulnerabilities to GHSA-72hv-8253-57qq?
Similar Vulnerabilities: CVE-2022-42173 , CVE-2022-38749 , CVE-2022-25647 , CVE-2020-36518 , CVE-2018-1000613
