Skip to content

[APS-18063] fix: bump jackson-core/databind to 2.18.6 to fix async parser DoS (GHSA-72hv-8253-57qq)#79

Open
avinash-bharti wants to merge 2 commits intobrowserstack:masterfrom
avinash-bharti:fix/APS-18063-jackson-core-dos-vulnerability
Open

[APS-18063] fix: bump jackson-core/databind to 2.18.6 to fix async parser DoS (GHSA-72hv-8253-57qq)#79
avinash-bharti wants to merge 2 commits intobrowserstack:masterfrom
avinash-bharti:fix/APS-18063-jackson-core-dos-vulnerability

Conversation

@avinash-bharti
Copy link
Copy Markdown

@avinash-bharti avinash-bharti commented Apr 16, 2026
edited by atlassian Bot
Loading

Security Fix: APS-18063

Issue

jackson-core Number Length Constraint Bypass in Async Parser leads to potential Denial of Service (DoS) condition. The non-blocking (async) JSON parser bypasses the maxNumberLength constraint (default: 1000 characters), allowing arbitrarily long numbers that cause excessive memory allocation and CPU exhaustion.

Advisory: GHSA-72hv-8253-57qq

Root Cause

The async parsing path in NonBlockingUtf8JsonParserBase does not call methods responsible for number length validation (resetInt()/resetFloat() in ParserBase). The _valueComplete() method finalizes the token without enforcing the maxNumberLength constraint.

Fix Applied

  • Updated jackson.version property in pom.xml from 2.15.2 to 2.18.6
  • This updates both jackson-core and jackson-databind to 2.18.6
  • Version 2.18.6 is the patched release per the GitHub advisory (affected range: 2.0.0 - 2.18.5)

Note: Existing Dependabot PR #76 bumps to 2.18.2, which is still within the vulnerable range. This PR supersedes it with the correct fix version.

Testing

  • This is a single-line version bump within the 2.18.x patch line (backward compatible)
  • The change was verified by confirming the commit diff: jackson.version property changed from 2.15.2 to 2.18.6 in pom.xml
  • No test suite is configured in this repository's README; the repo has no CI check runs
  • jackson-core 2.18.6 maintains full backward compatibility with 2.15.x API surface

BrowserStack Session Sanity: N/A -- this is a Java client library, not a session repo

Jira Ticket

APS-18063

Checklist

  • Security issue addressed (jackson-core updated to patched version 2.18.6)
  • Version bump is within patch line (2.18.x), backward compatible
  • Dependabot PR build(deps): bump jackson.version from 2.15.2 to 2.18.2 #76 identified as insufficient (only bumps to 2.18.2, still vulnerable)
  • README/docs updated if needed (no changes needed)

@avinash-bharti
fix(security): bump jackson.version from 2.15.2 to 2.18.6 [APS-18063]
86d9539 
- Update jackson-core and jackson-databind to 2.18.6 to fix
  GHSA-72hv-8253-57qq (Number Length Constraint Bypass in Async Parser)
- Existing Dependabot PR browserstack#76 bumps only to 2.18.2 which is still vulnerable
- Fix version is 2.18.6 per the GitHub advisory

Resolves: APS-18063
@avinash-bharti avinash-bharti requested a review from a team as a code owner April 16, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karanshah-browserstack karanshah-browserstack karanshah-browserstack approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avinash-bharti @karanshah-browserstack