Skip to content

Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) parser#1555

Merged
cowtowncoder merged 4 commits intoFasterXML:2.18from
pjfanning:numlen218
Feb 22, 2026
Merged

Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) parser#1555
cowtowncoder merged 4 commits intoFasterXML:2.18from
pjfanning:numlen218

Conversation

@pjfanning
Copy link
Member

@pjfanning pjfanning commented Feb 21, 2026

validate number length against constraints in async parser

@cowtowncoder cowtowncoder changed the title check numlen in async parser Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) parser Feb 22, 2026
cowtowncoder
cowtowncoder approved these changes Feb 22, 2026
View reviewed changes
Copy link
Member

@cowtowncoder cowtowncoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, will merge first thing tomorrow.

@cowtowncoder cowtowncoder merged commit b0c428e into FasterXML:2.18 Feb 22, 2026
5 of 7 checks passed
@cowtowncoder cowtowncoder added 2.18 Issues planned at earliest for 2.18 2.21 Issues planned (at earliest) for 2.21 3.1 labels Feb 22, 2026
@cowtowncoder cowtowncoder modified the milestone: 2.18.6 Feb 22, 2026
cowtowncoder added a commit that referenced this pull request Feb 22, 2026
@cowtowncoder
update release notes wrt #1555
00342f2
@pjfanning pjfanning deleted the numlen218 branch February 26, 2026 18:32
@phuc98ute phuc98ute mentioned this pull request Mar 2, 2026
Closed
@cebarks
Copy link

cebarks commented Mar 5, 2026

Hi there @cowtowncoder @pjfanning,

I work in Product Security over at Red Hat. We had a reporter reach out to us concerned that this should be considered a security vulnerability. If you don't mind, I was going to assign a CVE id to track this. Is this alright with you?

If so, let me know if anyone would like credit for the discovery and/or if @pjfanning want's credit for the fix.

Thanks!

@pjfanning
Copy link
Member Author

pjfanning commented Mar 5, 2026

@cebarks we have GHSA-72hv-8253-57qq

We don't view this as CVE worthy. The effect of numbers with multi thousand digits is non-linear CPU time parsing the number. We use Java Runtime to do this parsing. If Jackson has an issue, then so does the Java Runtime.

@cebarks
Copy link

cebarks commented Mar 5, 2026

Gotcha, totally reasonable. I'll defer to your judgement and skip assigning a CVE.

Thanks for your quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cowtowncoder cowtowncoder cowtowncoder approved these changes

Assignees

No one assigned

Labels

2.18 Issues planned at earliest for 2.18 2.21 Issues planned (at earliest) for 2.21 3.1

Projects

None yet

Milestone

2.18.6

Development

Successfully merging this pull request may close these issues.

3 participants

@pjfanning @cebarks @cowtowncoder