Jackson Core Security Flaw: Async Parser Bypasses Critical Number Length Constraint

A critical security vulnerability in the widely used Jackson Core library allows attackers to bypass a key defense mechanism. The non-blocking (async) JSON parser fails to enforce the `maxNumberLength` constraint, a limit designed to prevent denial-of-service attacks. This flaw, tracked as GHSA-72hv-8253-57qq, means an attacker can send JSON payloads containing arbitrarily long numbers through the async parser API, effectively sidestepping a default 1000-character limit intended to protect systems from resource exhaustion.

The vulnerability resides in the `com.fasterxml.jackson.core:jackson-core` library, a foundational component for JSON processing in countless Java applications. The issue specifically affects the async parser, which incorrectly allows numbers of unlimited length to be processed. This bypass of `StreamReadConstraints` creates a direct path for exploitation where maliciously crafted JSON could overwhelm parser resources, leading to potential application instability or crashes. The update from version 2.21.0 to 2.21.1, highlighted in a GitHub dependency fix PR, is the official patch for this security gap.

The widespread adoption of Jackson Core across enterprise and open-source software elevates the risk profile of this flaw. Systems relying on the async parsing API for high-throughput data ingestion are particularly exposed. While the patch is available, the silent nature of the bypass—where a configured security constraint simply doesn't apply—means many deployments may be vulnerable without obvious signs of an attack. This underscores the persistent challenge of securing foundational software dependencies against subtle logic flaws that undermine explicit security boundaries.