Allocation of Resources Without Limits or Throttling in jackson-core - #VU137339
Published: July 12, 2026
jackson-core
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the NonBlockingUtf8JsonParserBase async parser when processing chunked JSON input containing an unterminated integer value. A remote attacker can stream many small chunks of digits without sending a terminator byte to cause a denial of service.
The issue affects the non-blocking streaming path and validation is deferred until the number is completed or end of input is reached.