+ "details": "### Overview\n\nA flaw in Jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible **information disclosure** in systems using **pooled or reused buffers**, like Netty or Vert.x.\n\n### Details\n\nThe vulnerability affects the creation of exception messages like:\n\n```\nJsonParseException: Unexpected character ... at [Source: (byte[])...]\n```\n\nWhen `JsonFactory.createParser(byte[] data, int offset, int len)` is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method `_appendSourceDesc` ignores the `offset`, and always starts reading from index `0`.\n\nIf the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.\n\nThe issue particularly impacts server applications using:\n\n* Pooled byte buffers (e.g., Netty)\n* Frameworks that surface parse errors in HTTP responses\n* Default Jackson settings (i.e., `INCLUDE_SOURCE_IN_LOCATION` is enabled)\n\nA documented real-world example is [CVE-2021-22145](https://nvd.nist.gov/vuln/detail/CVE-2021-22145) in Elasticsearch, which stemmed from the same root cause.\n\n### Attack Scenario\n\nAn attacker sends malformed JSON to a service using Jackson and pooled byte buffers (e.g., Netty-based HTTP servers). If the server reuses a buffer and includes the parser’s exception in its HTTP 400 response, the attacker may receive residual data from previous requests.\n\n### Proof of Concept\n\n```java\nbyte[] buffer = new byte[1000];\nSystem.arraycopy(\"SECRET\".getBytes(), 0, buffer, 0, 6);\nSystem.arraycopy(\"{ \\\"bad\\\": }\".getBytes(), 0, buffer, 700, 10);\n\nJsonFactory factory = new JsonFactory();\nJsonParser parser = factory.createParser(buffer, 700, 20);\nparser.nextToken(); // throws exception\n\n// Exception message will include \"SECRET\"\n```\n\n### Patches\nThis issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via [PR #652](https://github.com/FasterXML/jackson-core/pull/652).\n\nAll users should upgrade to version 2.13.0 or later.\n\n### Workarounds\nIf upgrading is not immediately possible, applications can mitigate the issue by:\n\n1. **Disabling exception message exposure to clients** — avoid returning parsing exception messages in HTTP responses.\n2. **Disabling source inclusion in exceptions** by setting:\n\n ```java\n jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);\n ```\n\n This prevents Jackson from embedding any source content in exception messages, avoiding leakage.\n\n\n### References\n* [Pull Request #652 (Fix implementation)](https://github.com/FasterXML/jackson-core/pull/652)\n* [CVE-2021-22145 (Elasticsearch exposure of this flaw)](https://nvd.nist.gov/vuln/detail/CVE-2021-22145)",
0 commit comments