A vulnerability has been identified in the Jackson jackson-core library, specifically affecting the asynchronous (non-blocking) parser. In affected versions, the parser fails to enforce the maxNumberLength constraint. A remote attacker can exploit this by sending a specially crafted JSON payload containing exceptionally large numeric values, leading to excessive resource consumption and a Denial of Service (DoS) condition.

Applications are vulnerable if they satisfy the following criteria:

They use Spring WebFlux or Spring Cloud Gateway (WebFlux-based).

1. They process incoming JSON payloads using the default Jackson non-blocking parser.

2. They have not explicitly overridden StreamReadConstraints to mitigate large-number parsing at the infrastructure level (e.g., via a WAF).

This issue may affect the following Spring Boot versions:

* Tentative target for the 3.5.x line. At the time the KB article was published, it wasn't released yet.

The affected Jackson ranges are:

• com.fasterxml.jackson.core:jackson-core 2.19.0 through 2.21.0

• tools.jackson.core:jackson-core 3.0.0 through 3.0.4

For Spring Boot 4.0.x, this can apply in two cases:

• applications using the default Jackson 3 stack

• applications still using Jackson 2 compatibility mode during migration to Spring Boot 4

The issue is caused by vulnerable Jackson versions in which the async parser does not correctly enforce number-length constraints. For the Jackson 2.x line, the advisory lists 2.21.1 and later as fixed. For the Jackson 3.x line, the advisory lists 3.1.0 and later as fixed.

For Spring Boot 3.5.x, the affected dependency is on the Jackson 2.x line. Jackson 2.19 is no longer maintained, and the supported 2.x lines that received fixes are 2.18.6 and 2.21.1. A further consideration for Spring Boot 3.5.x is Kotlin compatibility: Jackson 2.21.2 is intended to provide Kotlin 1.9 compatibility in the Jackson 2.21 line, but the Jackson 2.21 release wiki currently lists 2.21.2 as not yet released.

For Spring Boot 4.0.x, the issue can be resolved through either of two dependency lines included in Spring Boot 4.0.4:

• Jackson 3 BOM 3.1.0, which fixes the issue for applications using the default Jackson 3 stack

• Jackson 2 BOM 2.21.1, which fixes the issue for applications still using Jackson 2 compatibility mode

Upgrade to one of the following versions:

• Spring Boot 3.5.13 (planned for April 23rd) or later for applications on the 3.5.x line

• Spring Boot 4.0.4 or later for applications on the 4.0.x line

For Spring Boot 4.0.x, the issue is resolved in Spring Boot 4.0.4. Applications using the default Jackson 3 stack receive the fix via tools.jackson.core:jackson-core:3.1.0. Applications still using Jackson 2 compatibility mode receive the fix via Jackson 2 BOM 2.21.1.

For Spring Boot 3.5.x, the target fix is 3.5.13. Until that release is available, a temporary mitigation is to override the managed Jackson BOM and use a fixed Jackson 2.x version that is available and validated in your environment. At present, jackson-core 2.21.1 is published, while the Jackson 2.21 release wiki still lists 2.21.2 as not yet released.

• References

  • GitHub advisory GHSA-72hv-8253-57qq — jackson-core number length constraint bypass in async parser.

  • Spring Boot 4.0.4 release notes.

  • Spring Boot issue #49365 — Jackson upgrade for Spring Boot 3.5.x.

  • Spring Boot issue #49383 — Jackson 3.1.0 upgrade for Spring Boot 4.0.x.

  • Spring Boot issue #49389 — Jackson 2 BOM 2.21.1 upgrade for Spring Boot 4.0.x.