Skip to content

GEODE-10589 Remediation of GHSA-2m67-wjpj-xhg9#8015

Open
JinwooHwang wants to merge 3 commits into
apache:developfrom
JinwooHwang:feature/GEODE-10589
Open

GEODE-10589 Remediation of GHSA-2m67-wjpj-xhg9#8015
JinwooHwang wants to merge 3 commits into
apache:developfrom
JinwooHwang:feature/GEODE-10589

Conversation

@JinwooHwang

Copy link
Copy Markdown
Contributor

This pull request upgrades the jackson-core dependency to mitigate GHSA-2m67-wjpj-xhg9. This critical issue involves a document length constraint bypass where blocking, async, and DataInput parsers could accept oversized JSON documents, weakening denial-of-service protections.

Changes

Updated jackson-core to the latest secure version to ensure StreamReadConstraints and maxDocumentLength are consistently enforced.

Security Impact

  • Vulnerability: GHSA-2m67-wjpj-xhg9 (CVSS 7.5)

  • Description: Jackson's parsers previously failed to enforce configured document length constraints on the final in-memory buffer or end-of-input, allowing large documents to bypass configured limits and consume excessive CPU/memory.

  • Resolution: This update ensures maxDocumentLength validation executes properly across all parser pathways, effectively restoring Denial of Service (DoS) protections.

Verification

Verified that all blocking, async, and DataInput parsers properly throw a StreamConstraintsException when payloads exceed StreamReadConstraints.getMaxDocumentLength().

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang JinwooHwang requested a review from marinov-code July 13, 2026 12:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants