CVE-2023-35116
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
The jackson-dataformats-text project is a collection of Jackson modules that provide support for handling various text-based data formats beyond JSON. It builds on Jackson’s core streaming, databinding, and tree model APIs, allowing developers to read and write alternative text formats through a consistent interface. Each format backend extends core Jackson abstractions like JsonFactory, JsonParser, and JsonGenerator, and some also provide ObjectMapper extensions for easier databinding. This makes it possible to work with multiple text formats in a unified way while still benefiting from Jackson’s flexibility and performance.
A potential Denial of Service (DoS) vulnerability (CVE-2023-35116) was reported in Jackson Databind. This was disputed by the vendor because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
This github issue has comments from the maintainers of Jackson disputing the vulnerability report. The discussion clarifies that this is not a security vulnerability (i.e., not a CVE), but rather a robustness flaw in handling cyclic data structures.
Details
Module Info
- Product: Jackson Databind
- Affected packages: jackson-databind
- Affected versions: <=2.15.2
- GitHub repository: https://github.com/FasterXML/jackson-databind
- Published packages: https://central.sonatype.com/artifact/com.fasterxml.jackson.core/jackson-databind
- Package manager: Maven
Vulnerability Info
The issue reports that versions of Jackson-databind prior to 2.15.2 can encounter a StackOverflowError during serialization when a Map contains a cyclic reference (e.g. the map contains itself as a value). The provided proof-of-concept shows a simple self-referential map (map.put("t", map)) which, when serialized, causes infinite recursion and ultimately a stack overflow.
This issue represents a logic flaw in application design, not a security vulnerability. A StackOverflowError caused by serializing a self-referential object, such as a Map that contains itself, is the result of faulty data modeling or serialization misuse rather than malicious input exploitation.
In normal use, applications should ensure that data structures passed to Jackson (or any serializer) are acyclic and well-formed. Allowing self-referential or infinitely recursive objects reflects a programming error, since no meaningful JSON representation can be produced from such data. While this can cause a crash or denial of service if unhandled, it is not considered a security issue because it cannot be exploited by an attacker.
In short, this is a case of bad application logic, passing invalid recursive structures to the serializer, rather than a flaw in Jackson’s security model.
Mitigation
Only recent versions of Jackson Core are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- To prevent StackOverflowErrors from self-referential or deeply nested structures, applications should validate and sanitize data before serialization.
