Spring Boot 4.0.x includes tools.jackson.core:jackson-core:3.0.4, which is affected by the vulnerability GHSA-72hv-8253-57qq (CVSS 8.7). This is the same async parser maxNumberLength bypass issue that is being addressed in Spring Boot 3.5.x via #49365.
The same pattern applies here:
- The vulnerability is fixed in
jackson-core:3.1.0 (released 2026-02-23).
- No fix has been backported to the
3.0.x branch.
- Spring Boot 4.0.x cannot adopt the fix without a minor version upgrade.
Since the team previously decided to take the unusual but necessary step of upgrading to a new Jackson minor version in a 3.5.x patch release to address this vulnerability (#49365), would it be possible and appropriate to do the same for 4.0.x?
Spring Boot 4.0.x includes
tools.jackson.core:jackson-core:3.0.4, which is affected by the vulnerability GHSA-72hv-8253-57qq (CVSS 8.7). This is the same async parsermaxNumberLengthbypass issue that is being addressed in Spring Boot 3.5.x via #49365.The same pattern applies here:
jackson-core:3.1.0(released 2026-02-23).3.0.xbranch.Since the team previously decided to take the unusual but necessary step of upgrading to a new Jackson minor version in a 3.5.x patch release to address this vulnerability (#49365), would it be possible and appropriate to do the same for 4.0.x?