MEDIUM
GHSA-3wrr-7qpf-2prh
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
Details
### Impact
Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:
1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()`
which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).
### Patches
Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.
### Workarounds
Avoid serializing `JsonNode` using `toString()`: use ObjectMapper.writeValueAsString(node)
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / com.fasterxml.jackson.core:jackson-databind
Introduced in:
2.10.0 Fixed in: 2.14.0 Fix
# pom.xml: bump <version>2.14.0</version> for com.fasterxml.jackson.core:jackson-databind References
- https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3wrr-7qpf-2prh [WEB]
- https://github.com/FasterXML/jackson-databind/issues/3447 [WEB]
- https://github.com/FasterXML/jackson-databind/commit/a1fa4ae4ecf5cee16da465985f135f3e81816f8c [WEB]
- https://github.com/FasterXML/jackson-databind [PACKAGE]