Update dependency com.fasterxml.jackson.core:jackson-core to v2.15.0 [SECURITY] (master)

[renovatebot-confluentinc]

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
com.fasterxml.jackson.core:jackson-core	2.6.7 -> 2.15.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation

CVE-2025-49128 / GHSA-wf8f-6423-gfxg

More information

Details

Overview

A flaw in Jackson-core's JsonLocation._appendSourceDesc method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x.

Details

The vulnerability affects the creation of exception messages like:

JsonParseException: Unexpected character ... at [Source: (byte[])...]

When JsonFactory.createParser(byte[] data, int offset, int len) is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method _appendSourceDesc ignores the offset, and always starts reading from index 0.

If the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.

The issue particularly impacts server applications using:

• Pooled byte buffers (e.g., Netty)
• Frameworks that surface parse errors in HTTP responses
• Default Jackson settings (i.e., INCLUDE_SOURCE_IN_LOCATION is enabled)

A documented real-world example is CVE-2021-22145 in Elasticsearch, which stemmed from the same root cause.

Attack Scenario

An attacker sends malformed JSON to a service using Jackson and pooled byte buffers (e.g., Netty-based HTTP servers). If the server reuses a buffer and includes the parser’s exception in its HTTP 400 response, the attacker may receive residual data from previous requests.

Proof of Concept

byte[] buffer = new byte[1000];
System.arraycopy("SECRET".getBytes(), 0, buffer, 0, 6);
System.arraycopy("{ \"bad\": }".getBytes(), 0, buffer, 700, 10);

JsonFactory factory = new JsonFactory();
JsonParser parser = factory.createParser(buffer, 700, 20);
parser.nextToken(); // throws exception

// Exception message will include "SECRET"

Patches

This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #​652.

All users should upgrade to version 2.13.0 or later.

Workarounds

If upgrading is not immediately possible, applications can mitigate the issue by:

1. Disabling exception message exposure to clients — avoid returning parsing exception messages in HTTP responses.

2. Disabling source inclusion in exceptions by setting:

   jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);

   This prevents Jackson from embedding any source content in exception messages, avoiding leakage.

References

• Pull Request #​652 (Fix implementation)
• CVE-2021-22145 (Elasticsearch exposure of this flaw)

Severity

• CVSS Score: 4.0 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/FasterXML/jackson-core/security/advisories/GHSA-wf8f-6423-gfxg
• https://nvd.nist.gov/vuln/detail/CVE-2021-22145
• https://nvd.nist.gov/vuln/detail/CVE-2025-49128
• https://github.com/FasterXML/jackson-core/pull/652
• https://github.com/FasterXML/jackson-core/commit/a6c297682737dde13337cb7c3020f299518609a8
• https://github.com/FasterXML/jackson-core

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

jackson-core can throw a StackoverflowError when processing deeply nested data

CVE-2025-52999 / GHSA-h46c-h94j-95f3

More information

Details

Impact

With older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large.

Patches

jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached.
jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.

Workarounds

Users should avoid parsing input files from untrusted sources.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3
• https://nvd.nist.gov/vuln/detail/CVE-2025-52999
• https://github.com/FasterXML/jackson-core/pull/943
• https://github.com/FasterXML/jackson-core

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[service-bot-app]

Could not automerge PR: CI checks have not passed