GMS-2026-577: Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers

April 4, 2026 (updated June 12, 2026)

Jackson Core does not consistently enforce StreamReadConstraints.maxDocumentLength. Oversized JSON documents can be accepted without a StreamConstraintsException in multiple parser entry points, which allows configured size limits to be bypassed and weakens denial-of-service protections. This advisory tracks the backport of GHSA-2m67-wjpj-xhg9 to the 2.18.x and 2.21.x release lines.

References

github.com/FasterXML/jackson-core
github.com/FasterXML/jackson-core/commit/74c9ee255d1534c179bc7d3de48941bf39a9079c
github.com/FasterXML/jackson-core/pull/1573
github.com/FasterXML/jackson-core/security/advisories/GHSA-2m67-wjpj-xhg9
github.com/advisories/GHSA-2m67-wjpj-xhg9

Code Behaviors & Features

Detect and mitigate GMS-2026-577 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →