GHSA-2m67-wjpj-xhg9: Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers

April 4, 2026 (updated April 8, 2026)

Jackson Core 3.x does not consistently enforce StreamReadConstraints.maxDocumentLength. Oversized JSON documents can be accepted without a StreamConstraintsException in multiple parser entry points, which allows configured size limits to be bypassed and weakens denial-of-service protections.

References

github.com/FasterXML/jackson-core
github.com/FasterXML/jackson-core/commit/74c9ee255d1534c179bc7d3de48941bf39a9079c
github.com/FasterXML/jackson-core/security/advisories/GHSA-2m67-wjpj-xhg9
github.com/advisories/GHSA-2m67-wjpj-xhg9

Code Behaviors & Features

Detect and mitigate GHSA-2m67-wjpj-xhg9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →