When Jackson goes EOL, the CVEs don't stop.

Never-Ending Support (NES) for Jackson keeps the JSON parser at the heart of your Java stack secure, compliant, and audit-ready, even after end of life.  NES gives your security team, your engineers, and your leadership back something they lost at EOL: the power to control their own security posture, their own timeline, and where the business focuses its attention.

TRUSTED BY ENTERPRISE

Google logoMicrosoft logoFinra logoBank Santander Logo
Hitachi LogoWorkday logoDropbox logo

Security, compliance, and continuity -- solved together

Jackson is the default JSON serializer in Spring Boot and sits in nearly every JVM service you ship — but the 2.13.x, 2.14.x, and 2.15.x lines have stopped receiving upstream fixes, so new CVEs go unpatched and scanners flag every build. NES for Jackson is a secure build of the 2.13.x, 2.14.x, and 2.15.x linesCVE fixes across all severity levels on the EOL 2.x line

Security

The risk: deserialization is a preferred target — and EOL means no upstream fix.

CVE fixes across all severity levels on the EOL 2.x line — closing the window that deserialization attacks depend on.

SLA-backed patch delivery tied to severity

Back-ported fixes for 2.13.x, 2.14.x, and 2.15.x

Core, dataformat, datatype & module coverage

Compliance

The risk: an open audit finding with no fix path under CRA, PCI DSS, SOC 2, DORA & NIS2.

Scanners stop flagging CVEs in EOL Jackson and every build ships with a VEX statement so the unsupported-dependency finding comes off your report.

Coverage for SOC 2, PCI DSS, HIPAA, FedRAMP

DORA, NIS2, EU Cyber Resilience Act, and more

VEX statements & documented patch history

Business Continuity

The risk: a rushed upgrade breaks custom serializers and on-the-wire contracts.

A drop-in Maven artifact that swaps in with one coordinate change and no app code — so you migrate Jackson lines on your own schedule.

Months or years of runway to migrate right

No rewrites, no broken serializers

A fraction of migration cost

“We had three options: 1) migrate to a new framework (expensive, time consuming and disruptive to planned roadmap), 2) maintain the framework ourselves (diversion of development resources), 3) engage with HeroDevs for never ending support as a subscription (budget able annual expense, no impact to dev plan)… Implementation was super simple. With the implementation of the HeroDevs libraries, 100% of the known vulnerabilities in the AngularJS framework were remediated yielding a clean scan via Burp Suite for our monthly POA&M.”

— ViTel Net
Enterprise healthcare IT

“By leveraging HeroDevs’ extended support, we were able to mitigate security risks, continue safe operation of the legacy application, and gain valuable time to plan a more sustainable long-term migration strategy — all without compromising on client experience or regulatory requirements.”

— Sanlam Private Wealth
Financial services

“We were caught in the classic technology dilemma – spend valuable engineering time updating a legacy system we were already planning to replace, or accept increasing security risk. Neither option aligned with our business objectives. … With NES we maintained our security posture without compromising our strategic roadmap, all while achieving substantial cost savings.”

— Statista
Markus Wolf, Architect

“Imagine telling your customers you can’t deliver any of the features they’ve been asking for because you need to spend the next year rewriting code that already works. That’s not a conversation any CTO wants to have… The impact [of NES] goes beyond just keeping our lights on — we’ve been able to invest in a completely new component library, improve user experiences, and deliver features that directly contribute to new customer acquisition. That wouldn’t have been possible if we’d been stuck in migration mode.”

— Keelvar
Valentina Roques, CTO
Commonhaus Foundation

ECOSYSTEM PARTNERSHIP

The Commonhaus Foundation is a non-profit home for community-governed open source projects, including Jackson, ensuring their long-term stewardship and sustainability. HeroDevs is proud to be the founding member of the Commonhaus Foundation Open Source Sustainability Initiative (OSSI). HeroDevs worked with Commonhaus to establish this security focused initiative and provides Never-Ending Support (NES) for end-of-life versions of Jackson, and other open-source projects governed by The Commonhaus Foundation.

What changes the day you install NES.

Before — the pain

Every service parses JSON with an EOL Jackson

Scanners flag every build, no upstream patches are coming, and when a new deserialization CVE drops the window between disclosure and exploit is wide open.

After — with HeroDevs

The parser goes from exposed to defended

A one-coordinate swap to the NES build resumes SLA-backed CVE patches across the 2.13.x, 2.14.x, and 2.15.x — with the public API and wire format unchanged.

Before — the pain

An open finding with no answer

Internal audit, SOC 2, and a customer security questionnaire all flag EOL jackson-databind. There's no remediation path and no defensible answer for auditors.

After — with HeroDevs

Findings close, questionnaires answer themselves

A named, vendor-backed build with committed SLAs and VEX statements. Scanners stop flagging CVEs and you reference a runtime aligned to PCI DSS, HIPAA, SOC 2, DORA, and NIS2.

Before — the pain

The EOL clock vs. the roadmap

Bumping Jackson lines can break custom serializers and on-the-wire contracts across hundreds of services. A rushed migration risks production incidents and pulls engineers off the roadmap.

After — with HeroDevs

Migrate on your terms, not the clock

A byte-for-byte drop-in — no code changes. Teams get the breathing room to plan a proper upgrade while the 2.13.x, 2.14.x, and 2.15.x lines stay secure, compliant, and stable.

Real CVEs, fixed on the EOL 2.13.x, 2.14.x, and 2.15.x lines.

HeroDevs is an authorized CVE Numbering Authority (CNA). The advisories below are drawn from the HeroDevs EOL Dataset for the Jackson 2.13.x, 2.14.x, and 2.15.x lines. — if you're running it today, your services are exposed to them. Switch to NES for immediate patches containing fixes to known CVEs. Every fix is published, one advisory per entry.
Severity
CVE
Category
Version(s) Affected
Published Date
Medium
Denial of Service
<20.20.2 >=22.0.0 <22.22.2 >=24.0.0 <24.14.1 >=25.0.0 <25.8.2
Apr 13, 2026
High
Uncontrolled Resource Consumption
v4 < v20.20.0, v22 < v22.22.0, v24 < v24.13.0, v25 < v25.3.0
Jan 13, 2026
High
Path Traversal
4.0 < 20.19.4, 22 < 22.17.1, 24 < 24.4.1
Jul 15, 2025
Medium
HTTP Request Smuggling
4.0 < 20.19.1
May 14, 2025
High
Cryptographic Weakness
4.0 < 20.19.1, 22 < 22.15.0, 24 < 24.0.1
May 14, 2025
Medium
Denial of Service
4.0 < 18.20.6, 20 < 20.18.2
Feb 7, 2025
Medium
Path Traversal
4.0 < 18.20.6, 20 < 20.18.2
Jan 28, 2025
High
Command Injection
4.0 <= 18.20.2, 20 < 20.12.2
Jan 9, 2025
High
HTTP Request Smuggling
>=16.0.0 <16.20.1, >=18.0.0 <18.16.1, >=20.0.0 <20.3.1
Oct 16, 2024
Low
Information Exposure
>=16.0.0 <=16.20.2
Oct 15, 2024
Medium
Denial of Service
>=14.0.0 <=14.21.3, >=16.0.0 <=16.20.2
Oct 15, 2024
Medium
Cryptographic Weakness
4.0 < 18.19.1, 20 < 20.11.1
Sep 7, 2024
High
Command Injection
4.0 < 18.20.4, 20.0 < 20.15.1, 22.0< 22.4.1
Sep 7, 2024
Medium
HTTP Request Smuggling
4.0 < 18.20.1, 20 < 20.12.1
May 7, 2024
Medium
HTTP Request Smuggling
<21.7.2, <20.12.1, <v18.20.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
May 1, 2024
High
Uncontrolled Resource Consumption
4 <= 18.20.0, 20 <= 20.12.0
Apr 9, 2024
High
Privilege Escalation
4.0 < 18.19.1, 20 < 20.11.1
Feb 20, 2024
Medium
Denial of Service
<21.6.2, <20.11.1, <v18.19.1, <= 16.20.2
Feb 14, 2024
High
Denial of Service
<21.6.2, <20.11.1, <v18.19.1, <= 16.20.2, <=v14.21.3, <= v12.22.12
Feb 14, 2024
Medium
Cryptographic Weakness
4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
Nov 28, 2023
Medium
Insufficient Verification of Data Authenticity
4.0 <= 18.18.1, 20 < 20.8.1
Oct 18, 2023
Medium
Privilege Escalation
4 <= 16.20.1, 0 <= 18.17.0, 0 <= 20.5.0
Aug 24, 2023
Medium
HTTP Request Smuggling
4.0 < 16.20.1, 18 < 18.16.1, 20 < 20.3.1
Jun 30, 2023
Medium
HTTP Request Smuggling
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Dec 5, 2022
High
Resource Injection
4.0 < 14.20.0, 16 < 16.20.0, 18 < 18.5.0
Jul 14, 2022
Medium
HTTP Request Smuggling
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Jul 14, 2022
High
Authorization Bypass
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Jul 14, 2022
Medium
HTTP Request Smuggling
4.0 < 14.20.0, 16 < 16.20.0, 18 < 18.5.0
Jul 14, 2022
Medium
HTTP Request Smuggling
4.0 < 14.20.1, 16 < 16.17.1, 18 < 18.9.1
Jul 14, 2022

10+ Jackson advisories patched across the 2.x line.

Severity
ID
Category
Version(s) Affected
Published Date
Medium
Authorization Bypass
>=2.8.0 <2.18.9, >=2.19.0 <2.21.5, >=3.1.0 <3.1.4
Jun 23, 2026
Medium
Authorization Bypass
<2.18.4, >=2.21.0 <2.21.4, >=3.0.0 <3.1.4
Jun 23, 2026
Medium
Authorization Bypass
>=2.9.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
Jun 23, 2026
Medium
Denial of Service
>=2.10.0 <2.14.0
Jun 22, 2026
Medium
Server-Side Request Forgery
>=2.0.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
Jun 22, 2026
High
Remote Code Execution
>=2.10.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
Jun 22, 2026
High
Remote Code Execution
>=2.10.0 <2.18.8, >=2.19.0 <2.21.4, >=3.0.0 <3.1.4
Jun 22, 2026
High
Denial of Service
<2.15.0
Oct 13, 2025
Medium
Denial of Service
<=2.15.2
Oct 13, 2025
High
Denial of Service
<2.15.0
Oct 13, 2025

Not just jackson-databind.

NES for Jackson covers the artifacts your services actually pull in — core, data formats, data types, and the modules and integrations that bind Jackson to the rest of your stack.

Core & databind

The engine

jackson-core

jackson-databind

jackson-annotations

jackson-bom

Formats & types

Beyond JSON

dataformat-xml

dataformat-yaml

dataformat-csv

dataformat-cbor

datatype-jsr310

datatype-jdk8

Modules & integrations

The glue

module-kotlin

module-scala

module-afterburner

module-blackbird

jaxrs-json-provider

jr-objects

Easy to deploy, No disruptions.

pom.xml
<dependency>
<groupId>com.herodevs.nes.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.5-jackson-databind-2.13.6</version>
</dependency>
1

Add the registry

Register registry.herodevs.io as a Maven repository in your pom.xml or settings.xml.

2

Set up your token

Add your HeroDevs auth token to settings.xml so the build can pull the patched artifacts.

3

Bump the coordinate

Change the version to the -nes build and rebuild. No application code changes.

4

Scanners pass

Actively patched and commercially supported — so CVE findings on EOL Jackson close.

A defensible answer for every standard, framework, or regulation

EOL software undermines patch-management expectations across regulations worldwide. NES gives you a maintained, vendor-backed build with committed SLAs and a documented patch history to demonstrate compliance to auditors and regulators.

PCI DSS

US

Req. 6.3.3 requires known critical or high-severity vulnerabilities be patched within 30 days. EOL Jackson with no patch means immediate non-compliance — NES restores the patch path.

HIPAA

US

Unsupported libraries make it hard to show reasonable safeguards for systems handling ePHI. NES provides active maintenance and risk reduction.

SOC 2

Global

Trust Services Criteria expect timely vulnerability remediation and patch management. EOL dependencies fail certification without support.

NIS2

EU

Article 21 covers patching, vulnerability and supply-chain management. EOL software is effectively non-compliant where it creates risk.

DORA

EU

Treats EOL software as a resilience flaw for financial ICT assets. NES sustains a documented patch-management program.

Cyber Resilience Act

EU

Governs software lifecycle security. NES keeps the library handled effectively during the support period.

NIST CSF 2.0

US

Control PR.PS-02 requires organizations to actively maintain or remove vulnerable software based on risk. NES enables compliance without a forced upgrade.

FedRAMP

US

Continuous monitoring expects flaw remediation on a defined cadence. A patched, vendor-backed build keeps EOL Jackson inside the boundary.

Commercial Contracts

Global

Vulnerability and configuration management controls require identifying technical vulnerabilities and keeping software within secure standards. NES restores that posture for EOL software.

Built by security engineers. Backed by a CNA.

HeroDevs is an authorized CVE Numbering Authority, empowered to discover and assign CVE IDs. Every NES for Jackson build takes the known-CVE count to zero for covered artifacts and ships with VEX statements and release notes that map directly to the advisories you need to close — so the unsupported-dependency finding comes off your report.

HeroDevs is also a long-time funder of open source, backing the maintainers and ecosystems that keep software like Jackson moving forward.

CVE Numbering Authority

Discovery & publication of CVEs

VEX statements with every build

Discovery & publication of CVEs

Committed SLAs

Severity-tied patch delivery

Frequently Asked Questions

Is NES a permanent alternative to upgrading?
Does NES for Jackson help with compliance?
How is it delivered?
What does drop-in replacement for EOL Jackson mean?
Which Jackson version does NES support?
What is Never-Ending Support (NES) for Jackson?

Contact Us

Got questions about Never-Ending Support for your open-source library? We're here to help!

Discover how HeroDevs NES Products can keep your systems secure and compliant.

Learn how our solutions can deliver value to your organization.

Get detailed pricing information tailored to your needs.

Google logoLilly logoAbbott logoBox logoEG logoHitachi logoDropbox logoNHS logoWorkday logoFinra logoMicrosoft logoSantander logo
Talk to an Expert

By submitting the form I acknowledge receipt of our Privacy Policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.