Jackson-core and Jackson-databind security audit

2nd November, 2022
David Korczynski,
Security Research & Security Engineering
Adam Korczynski,
Security Engineering & Security Automation

Ada Logics recently carried out a security audit of Jackson-core and Jackson-databind. Jackson-core and Jackson-databind are libraries that offer a series of features related to data parsing and databinding.

Goals of the audit

The security review had a holistic approach and had several high level goals. First, we formalised a threat model of both libraries, which identified the most commonly used methods dealing with untrusted data. The threat model is meant to be belpful to Jackson maintainers, contributors, users, as well as security researchers that wish to contribute to the continued security of both projects. Next, Ada Logics improved the fuzzing suites of both projects which relied on the threat model to target the most critical methods. This part was especially rewarding and resulted in several high-severity findings. Finally we did a manual audit which found that ongoing security work of the projects was clearly visible and found a few issues that could put users at risk if the particular components were used insecurely.

Security Findings

The audit found 12 issues ranging in severity from informational to high. The most notable findings were two CVEs of high severity:

Resource Exhaustion via UNWRAP_SINGLE_VALUE_ARRAYS
Resource Exhaustion via BeanDeserializer._deserializeFromArray

The two CVEs both had root cause in recursive stack overflows that could crash the application in which Jackcson was running. Two similar issues were found, but these were assessed to have such a rare use case - if any at all - that CVEs were not assigned.


We would like to thank Jackson maintainer Tatu Saloranta for the cooperation - and for maintaining a vital piece of global critical infrastructure - and OSTIF for facilitating the security audit.