GHSA-72hv-8253-57qq¶
WSO2 Products impacted: no
Customer actions required: no
REPORTED VULNERABILITY¶
A Denial of Service (DoS) vulnerability (CWE-770, Medium severity) exists in Jackson Core versions 2.0.0 through 2.18.5. A crafted numeric value can bypass the number length constraint in jackson-core's async (non-blocking) JSON parser (NonBlockingJsonParser), leading to excessive memory consumption 1.
REPORTED PRODUCTS¶
- WSO2 Identity Server : 7.3.0
WSO2 JUSTIFICATION¶
The flagged Jackson Core library is not used directly by WSO2 Identity Server. It is embedded within the Hazelcast clustering library as an internal dependency. The vulnerability specifically affects the async (non-blocking) JSON parser in jackson-core, which is never used by Hazelcast. Hazelcast's own security team has confirmed that this vulnerability is not exploitable in their product 2. In WSO2 Identity Server, Hazelcast is used solely for clustering and caching, and no untrusted user input reaches its internal JSON parsing. Therefore, the vulnerable code path is unreachable and does not pose a security risk.
A remediated Jackson Core is available from Hazelcast 5.6.0 onwards. However, upgrading from the currently shipped Hazelcast 5.3.6 to 5.6.0 spans multiple minor versions, each version introducing breaking API and behavioral changes 345. Due to these concerns, we are publishing this CVE justification with a detailed analysis outlining how the associated risk is mitigated in WSO2 Identity Server.
REFERENCES¶
-
https://github.com/FasterXML/jackson-core/security/advisories/GHSA-72hv-8253-57qq ↩
-
https://github.com/hazelcast/hazelcast/issues/26578#issuecomment-4125517789 ↩
-
https://docs.hazelcast.com/hazelcast/5.6/release-notes/community#breaking-changes ↩
-
https://docs.hazelcast.com/hazelcast/5.5/release-notes/community#breaking-changes ↩
-
https://docs.hazelcast.com/hazelcast/5.4/release-notes/community#breaking-changes ↩