CVE-2025-49128
📋 TL;DR
This vulnerability in Jackson-core allows up to 500 bytes of unintended memory content to leak in exception messages when parsing JSON from byte arrays with offsets. This affects systems using pooled or reused buffers like Netty or Vert.x, potentially exposing sensitive data from memory. All users of Jackson-core versions 2.0.0 through 2.12.x are affected.
💻 Affected Systems
- Jackson-core
- Any software using Jackson-core for JSON processing
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive data such as passwords, tokens, or other application secrets from memory buffers could be exposed to attackers through error messages.
Likely Case
Limited information disclosure of random memory contents from pooled buffers, potentially including fragments of previous requests or application data.
If Mitigated
No information disclosure if exception messages are not exposed to clients or source inclusion is disabled.
🎯 Exploit Status
Exploitation requires ability to trigger JSON parsing exceptions and access to resulting error messages, which is straightforward in many web applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.0 or later
Vendor Advisory: https://github.com/FasterXML/jackson-core/security/advisories/GHSA-wf8f-6423-gfxg
Restart Required: Yes
Instructions:
1. Update Jackson-core dependency to version 2.13.0 or later. 2. Update pom.xml or build.gradle to reference fixed version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Disable exception message exposure
allConfigure application to not return parsing exception messages in HTTP responses to clients
Application-specific configuration - typically in error handling middleware
Disable source inclusion in exceptions
allConfigure Jackson to not embed source content in exception messages
ObjectMapper mapper = new ObjectMapper(); mapper.configure(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION, false);
🧯 If You Can't Patch
- Implement strict error handling to prevent exception messages from being returned to clients
- Use custom exception handlers that sanitize or truncate error messages before exposure
🔍 How to Verify
Check if Vulnerable:
Check Jackson-core version in dependencies: mvn dependency:tree | grep jackson-core or gradle dependencies | grep jackson-coreCheck Version:
mvn dependency:tree | grep -i jackson-core || gradle dependencies | grep -i jackson-core || find . -name "*.jar" | xargs -I {} sh -c 'jar tf {} | grep -q "jackson-core" && echo {}'Verify Fix Applied:
Verify Jackson-core version is 2.13.0 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unexpected memory content in JSON parsing error messages
- Exception messages containing binary or unexpected data
Network Indicators:
- HTTP responses containing Jackson parsing exceptions with unexpected data
SIEM Query:
source="*application.log*" AND "JsonProcessingException" AND ("_appendSourceDesc" OR "JsonLocation")🔗 References
- https://github.com/FasterXML/jackson-core/commit/a6c297682737dde13337cb7c3020f299518609a8
- https://github.com/FasterXML/jackson-core/pull/652
- https://github.com/FasterXML/jackson-core/security/advisories/GHSA-wf8f-6423-gfxg
- https://github.com/FasterXML/jackson-core/security/advisories/GHSA-wf8f-6423-gfxg
