Hi Tika Team,
Our scan identifies below vulnerability on Tika 2.9.5 Snapshot build, details are shown below,
"WS-2026-0003
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. "
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. "
Below is my analysis on this issue reported,
CVE-2025-52999 is associated to this and affected on prior to 2.15.0 release.
For 2.9.5 march build has 2.21.1,
<artifactId>jackson-core</artifactId>
<name>Jackson-core</name>
<version>2.21.1</version>
For 2.9.5 march build has 2.21.1,
<artifactId>jackson-core</artifactId>
<name>Jackson-core</name>
<version>2.21.1</version>
Kindly share your thoughts on this vulnerability that affects the Tika 2.9.5 March Snapshot build.
Thanks in advance.
Regards,
Saravanan B
