Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

FasterXML — Vulnerabilities & Security Advisories 14

Browse all 14 CVE security advisories affecting FasterXML. AI-powered Chinese analysis, POCs, and references for each vulnerability.

FasterXML develops the Jackson JSON processing library, widely used for data binding and parsing in Java applications. Historically, vulnerabilities have primarily centered on remote code execution (RCE) and cross-site scripting (XSS) due to insecure deserialization and input validation flaws. The library's extensive adoption makes it a high-value target. Notable security characteristics include its modular architecture, though complex configurations can introduce risks. While no major public incidents have been widely documented, the 6 CVEs on record highlight persistent concerns around memory corruption and improper handling of untrusted input, necessitating careful implementation and regular updates.

Top products by FasterXML: jackson-databind jackson-core jackson-dataformats-text
CVE IDTitleCVSSSeverityPublished
CVE-2026-54518 jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind — jackson-databindCWE-863 6.5 Medium2026-06-23
CVE-2026-50193 jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString() — jackson-databindCWE-400--2026-06-23
CVE-2026-54512 jackson-databind: PolymorphicTypeValidator bypass via generic type parameters allows arbitrary class instantiation — jackson-databindCWE-184 8.1 High2026-06-23
CVE-2026-54513 jackson-databind: Array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) — jackson-databindCWE-184 8.1 High2026-06-23
CVE-2026-54514 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) — jackson-databindCWE-918 5.3 Medium2026-06-23
CVE-2026-54515 jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties — jackson-databindCWE-915 5.3 Medium2026-06-23
CVE-2026-54516 jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields — jackson-databindCWE-915 5.3 Medium2026-06-23
CVE-2026-54517 jackson-databind: @JsonView bypass for setterless creator properties — jackson-databindCWE-863 5.3 Medium2026-06-23
CVE-2026-29062 jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion — jackson-coreCWE-770 7.5 -2026-03-06
CVE-2025-52999 jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data — jackson-coreCWE-121 6.5 -2025-06-25
CVE-2025-49128 Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation — jackson-coreCWE-209 4.0 Medium2025-06-06
CVE-2023-3894 DOS in jackson-dataformats-text — jackson-dataformats-textCWE-20 5.8 Medium2023-08-08
CVE-2017-15095 FasterXML Jackson-databind 代码问题漏洞 — jackson-databindCWE-184 9.8 -2018-02-06
CVE-2017-7525 FasterXML Jackson 代码问题漏洞 — jackson-databindCWE-184 9.8 -2018-02-06

This page lists every published CVE security advisory associated with FasterXML. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.