GHSA-72hv-8253-57qq: jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition

February 28, 2026 (updated March 3, 2026)

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

References

github.com/FasterXML/jackson-core
github.com/FasterXML/jackson-core/commit/b0c428e6f993e1b5ece5c1c3cb2523e887cd52cf
github.com/FasterXML/jackson-core/pull/1555
github.com/FasterXML/jackson-core/security/advisories/GHSA-72hv-8253-57qq
github.com/advisories/GHSA-72hv-8253-57qq

Code Behaviors & Features

Detect and mitigate GHSA-72hv-8253-57qq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →