CVE-2025-49128
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-06-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in jackson-core versions from 2.0.0 up to but not including 2.13.0. A flaw in the JsonLocation._appendSourceDesc method causes exception messages to include up to 500 bytes of unintended memory content. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the start of the array rather than the logical payload start. This can lead to information disclosure in systems using pooled or reused buffers.
How can this vulnerability impact me? :
The vulnerability can lead to unintended information disclosure by including up to 500 bytes of memory content in exception messages. This is particularly risky in environments using pooled or reused buffers, such as Netty or Vert.x, where sensitive data might be leaked through error messages returned to clients.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade jackson-core to version 2.13.0 or later. If upgrading is not immediately possible, disable exception message exposure to clients to avoid returning parsing exception messages in HTTP responses, and/or disable source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, thereby avoiding information leakage.