jackson-core 2.19.4, as used in Spring Boot 3.5.11, is affected by Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition.
I've asked the Jackson project if there will be a 2.19.x patch update with the fix, but I got response saying that Jackson 2.19 is no longer maintained and that 2.18 and 2.21 are the LTS releases that got updates (2.18.6, 2.21.1).
Looking at the release notes for Jackson 2.20 and 2.21, it looks like 2.19 to 2.21 should be a backwards compatible update in the context of Spring Boot 3.5 applications, because the JDK baseline changes for jackson-annotations, jackson-datatype-hibernate and jackson-jakarta-providers won't affect Spring Boot 3.5 applications which already requires Java 17 or later due to the use of Spring Boot 3.5.
jackson-core2.19.4, as used in Spring Boot 3.5.11, is affected by Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition.I've asked the Jackson project if there will be a 2.19.x patch update with the fix, but I got response saying that Jackson 2.19 is no longer maintained and that 2.18 and 2.21 are the LTS releases that got updates (2.18.6, 2.21.1).
Looking at the release notes for Jackson 2.20 and 2.21, it looks like 2.19 to 2.21 should be a backwards compatible update in the context of Spring Boot 3.5 applications, because the JDK baseline changes for
jackson-annotations,jackson-datatype-hibernateandjackson-jakarta-providerswon't affect Spring Boot 3.5 applications which already requires Java 17 or later due to the use of Spring Boot 3.5.