GHSA-72hv-8253-57qq

Data: 2026-03-08

Severity: High

CVSS Score: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

Riferimenti:

• https://github.com/advisories/GHSA-72hv-8253-57qq

Libreria: com.fasterxml.jackson.core:jackson-core <= 2.18.5 e < < 2.21.1

Descrizione

CWE-770 Allocation of Resources Without Limits or Throttling

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

GovWay

Versione affette:

• 3.3.x: <= 3.3.19

• 3.4.x: <= 3.4.2

Risoluzione:

• 3.3.x: 3.3.19.p1

• 3.4.x: 3.4.2.p1