jackson-core Async Parser Bypasses Number Length Constraint, Raising DoS Risk

A vulnerability in the non-blocking JSON parser of jackson-core allows input with arbitrarily long numbers to bypass the `maxNumberLength` constraint enforced by `StreamReadConstraints`. The standard synchronous parser correctly applies this limit, which defaults to 1000 characters, but the async parsing path fails to enforce it at all—creating an inconsistent security posture within the same library. The issue affects all versions of jackson-core that include the async parsing implementation.

The root cause lies in `NonBlockingUtf8JsonParserBase` and related classes. Number parsing methods such as `_finishNumberIntegralPart` accumulate digits into the `TextBuffer` without performing any length validation. When parsing completes, `_valueComplete()` finalizes the token but does not invoke `resetInt()` or `resetFloat()`, the methods responsible for constraint checks. This means the async API path never triggers the safeguards that exist in the synchronous code path, leaving the `maxNumberLength` boundary effectively unenforced.

The implications carry real weight. An attacker able to send crafted JSON through the async parser API can trigger excessive memory allocation from processing unconstrained numeric strings, alongside potential CPU exhaustion from unbounded parsing operations. This could result in a denial-of-service condition. Systems relying on jackson-core for non-blocking JSON processing face exposure, particularly applications handling untrusted input over APIs or streaming data pipelines. The vulnerability also widens the attack surface for security monitoring tools, API gateways, and microservices that depend on jackson-core's async capabilities. Mitigations include updating to patched versions once released, implementing input validation upstream, or restricting async parser access to trusted sources.