When Jackson goes EOL, the CVEs don't stop.
Never-Ending Support (NES) for Jackson keeps the JSON parser at the heart of your Java stack secure, compliant, and audit-ready, even after end of life. NES gives your security team, your engineers, and your leadership back something they lost at EOL: the power to control their own security posture, their own timeline, and where the business focuses its attention.
TRUSTED BY ENTERPRISE

Security, compliance, and continuity -- solved together
Jackson is the default JSON serializer in Spring Boot and sits in nearly every JVM service you ship — but the 2.13.x, 2.14.x, and 2.15.x lines have stopped receiving upstream fixes, so new CVEs go unpatched and scanners flag every build. NES for Jackson is a secure build of the 2.13.x, 2.14.x, and 2.15.x linesCVE fixes across all severity levels on the EOL 2.x line
Security
The risk: deserialization is a preferred target — and EOL means no upstream fix.
CVE fixes across all severity levels on the EOL 2.x line — closing the window that deserialization attacks depend on.
SLA-backed patch delivery tied to severity
Back-ported fixes for 2.13.x, 2.14.x, and 2.15.x
Core, dataformat, datatype & module coverage
Compliance
The risk: an open audit finding with no fix path under CRA, PCI DSS, SOC 2, DORA & NIS2.
Scanners stop flagging CVEs in EOL Jackson and every build ships with a VEX statement so the unsupported-dependency finding comes off your report.
Coverage for SOC 2, PCI DSS, HIPAA, FedRAMP
DORA, NIS2, EU Cyber Resilience Act, and more
VEX statements & documented patch history
Business Continuity
The risk: a rushed upgrade breaks custom serializers and on-the-wire contracts.
A drop-in Maven artifact that swaps in with one coordinate change and no app code — so you migrate Jackson lines on your own schedule.
Months or years of runway to migrate right
No rewrites, no broken serializers
A fraction of migration cost

ECOSYSTEM PARTNERSHIP
The Commonhaus Foundation is a non-profit home for community-governed open source projects, including Jackson, ensuring their long-term stewardship and sustainability. HeroDevs is proud to be the founding member of the Commonhaus Foundation Open Source Sustainability Initiative (OSSI). HeroDevs worked with Commonhaus to establish this security focused initiative and provides Never-Ending Support (NES) for end-of-life versions of Jackson, and other open-source projects governed by The Commonhaus Foundation.
What changes the day you install NES.
Before — the pain
Every service parses JSON with an EOL Jackson
Scanners flag every build, no upstream patches are coming, and when a new deserialization CVE drops the window between disclosure and exploit is wide open.
After — with HeroDevs
The parser goes from exposed to defended
A one-coordinate swap to the NES build resumes SLA-backed CVE patches across the 2.13.x, 2.14.x, and 2.15.x — with the public API and wire format unchanged.
Before — the pain
An open finding with no answer
Internal audit, SOC 2, and a customer security questionnaire all flag EOL jackson-databind. There's no remediation path and no defensible answer for auditors.
After — with HeroDevs
Findings close, questionnaires answer themselves
A named, vendor-backed build with committed SLAs and VEX statements. Scanners stop flagging CVEs and you reference a runtime aligned to PCI DSS, HIPAA, SOC 2, DORA, and NIS2.
Before — the pain
The EOL clock vs. the roadmap
Bumping Jackson lines can break custom serializers and on-the-wire contracts across hundreds of services. A rushed migration risks production incidents and pulls engineers off the roadmap.
After — with HeroDevs
Migrate on your terms, not the clock
A byte-for-byte drop-in — no code changes. Teams get the breathing room to plan a proper upgrade while the 2.13.x, 2.14.x, and 2.15.x lines stay secure, compliant, and stable.
Real CVEs, fixed on the EOL 2.13.x, 2.14.x, and 2.15.x lines.
10+ Jackson advisories patched across the 2.x line.
Not just jackson-databind.
NES for Jackson covers the artifacts your services actually pull in — core, data formats, data types, and the modules and integrations that bind Jackson to the rest of your stack.
Core & databind
The engine
jackson-core
jackson-databind
jackson-annotations
jackson-bom
Formats & types
Beyond JSON
dataformat-xml
dataformat-yaml
dataformat-csv
dataformat-cbor
datatype-jsr310
datatype-jdk8
Modules & integrations
The glue
module-kotlin
module-scala
module-afterburner
module-blackbird
jaxrs-json-provider
jr-objects
Easy to deploy, No disruptions.
Add the registry
Register registry.herodevs.io as a Maven repository in your pom.xml or settings.xml.
Set up your token
Add your HeroDevs auth token to settings.xml so the build can pull the patched artifacts.
Bump the coordinate
Change the version to the -nes build and rebuild. No application code changes.
Scanners pass
Actively patched and commercially supported — so CVE findings on EOL Jackson close.
A defensible answer for every standard, framework, or regulation
EOL software undermines patch-management expectations across regulations worldwide. NES gives you a maintained, vendor-backed build with committed SLAs and a documented patch history to demonstrate compliance to auditors and regulators.
PCI DSS
Req. 6.3.3 requires known critical or high-severity vulnerabilities be patched within 30 days. EOL Jackson with no patch means immediate non-compliance — NES restores the patch path.
HIPAA
Unsupported libraries make it hard to show reasonable safeguards for systems handling ePHI. NES provides active maintenance and risk reduction.
SOC 2
Trust Services Criteria expect timely vulnerability remediation and patch management. EOL dependencies fail certification without support.
NIS2
Article 21 covers patching, vulnerability and supply-chain management. EOL software is effectively non-compliant where it creates risk.
DORA
Treats EOL software as a resilience flaw for financial ICT assets. NES sustains a documented patch-management program.
Cyber Resilience Act
Governs software lifecycle security. NES keeps the library handled effectively during the support period.
NIST CSF 2.0
Control PR.PS-02 requires organizations to actively maintain or remove vulnerable software based on risk. NES enables compliance without a forced upgrade.
FedRAMP
Continuous monitoring expects flaw remediation on a defined cadence. A patched, vendor-backed build keeps EOL Jackson inside the boundary.
Commercial Contracts
Vulnerability and configuration management controls require identifying technical vulnerabilities and keeping software within secure standards. NES restores that posture for EOL software.
Built by security engineers. Backed by a CNA.
HeroDevs is an authorized CVE Numbering Authority, empowered to discover and assign CVE IDs. Every NES for Jackson build takes the known-CVE count to zero for covered artifacts and ships with VEX statements and release notes that map directly to the advisories you need to close — so the unsupported-dependency finding comes off your report.
HeroDevs is also a long-time funder of open source, backing the maintainers and ecosystems that keep software like Jackson moving forward.
CVE Numbering Authority
Discovery & publication of CVEs
VEX statements with every build
Discovery & publication of CVEs
Committed SLAs
Severity-tied patch delivery
Frequently Asked Questions
No. NES closes the security gap during your migration window — it is not a permanent alternative to moving to a supported Jackson line. It buys you the time to upgrade on your own schedule while staying secure and audit-ready.
Yes. Once installed, scanners stop flagging CVEs on EOL Jackson because the artifacts are actively patched and commercially supported. NES helps meet patch-management expectations under PCI DSS, HIPAA, FedRAMP, SOC 2, DORA, NIS2, and the EU Cyber Resilience Act, with committed SLAs, VEX statements, and a documented patch history.
As drop-in replacement artifacts on the HeroDevs Maven registry (registry.herodevs.io). A NES coordinate looks like com.herodevs.nes.fasterxml.jackson.core:jackson-databind:2.13.5-jackson-databind-2.13.6.
NES builds preserve the public API and on-the-wire behavior of Jackson 2.x. You add the HeroDevs Maven registry, authenticate with your token, and change the version coordinate — there are no application code changes, and custom serializers and modules keep working.
NES for Jackson covers the 2.x line across the core, dataformat, datatype, module, and integration artifacts — not just jackson-databind. If you are on an older line such as 2.10–2.12, contact HeroDevs about coverage.
NES for Jackson is HeroDevs' commercially supported build of the Jackson JSON library for organizations running the end-of-life 2.x line. It is a drop-in Maven artifact that delivers ongoing vulnerability fixes and compliance coverage, giving teams time to plan and execute a migration on their own schedule.
Contact Us
Got questions about Never-Ending Support for your open-source library? We're here to help!
Discover how HeroDevs NES Products can keep your systems secure and compliant.
Learn how our solutions can deliver value to your organization.
Get detailed pricing information tailored to your needs.
Stay on Top of Java and JVM Security & Compliance Updates
View All Articles

.png)
