Upgrade Jackson from 3.0.3 to 3.1.0 to fix CVE-2026-29062 (DoS via excessive JSON nesting) #1235
Description
Description
tools.jackson.core:jackson-core version 3.0.3 (used transitively via jackson-databind) is affected by CVE-2026-29062, a HIGH severity vulnerability that allows Denial of Service via excessive JSON nesting.
Vulnerability Details
| Field | Value |
|---|---|
| CVE | CVE-2026-29062 |
| Severity | HIGH |
| Affected Dependency | tools.jackson.core:jackson-core |
| Installed Version | 3.0.3 |
| Fixed Version | 3.1.0 |
| Reference | https://avd.aquasec.com/nvd/cve-2026-29062 |
Current Dependency Tree
com.networknt:json-schema-validator:jar:3.0.0:compile
├── tools.jackson.core:jackson-databind:jar:3.0.3:compile
│ └── tools.jackson.core:jackson-core:jar:3.0.3:compile
└── tools.jackson.dataformat:jackson-dataformat-yaml:jar:3.0.3:compile
Proposed Fix
Update the version.jackson property in pom.xml from 3.0.3 to 3.1.0. All three Jackson artifacts (jackson-core, jackson-databind, jackson-dataformat-yaml) are available at version 3.1.0 on Maven Central.
I'm happy to submit a PR for this change.