CVE-2022-42004: Jackson-databind DoS Vulnerability

CVE-2022-42004 Overview

CVE-2022-42004 is a resource exhaustion vulnerability in FasterXML jackson-databind versions prior to 2.13.4. The flaw exists in BeanDeserializer._deserializeFromArray, which lacks a check preventing deserialization of deeply nested JSON arrays. Attackers can submit crafted input that triggers excessive recursion, exhausting stack or memory resources and causing a denial of service. The issue is classified under [CWE-502] Deserialization of Untrusted Data. Exploitation requires that the target application uses certain customized deserialization configurations. The vulnerability affects multiple downstream products including Quarkus, Debian Linux, and NetApp OnCommand Workflow Automation.

Critical Impact

Remote unauthenticated attackers can trigger denial of service on applications using vulnerable jackson-databind configurations by submitting deeply nested JSON arrays.

Affected Products

• FasterXML jackson-databind before 2.13.4
• Quarkus
• Debian Linux 10 and 11
• NetApp OnCommand Workflow Automation

Discovery Timeline

• 2022-10-02 - CVE-2022-42004 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-42004

Vulnerability Analysis

The vulnerability resides in the BeanDeserializer._deserializeFromArray() method within jackson-databind. The method recursively processes nested JSON array structures during deserialization. Without a depth limit, the parser follows each level of nesting using stack frames, eventually consuming all available stack space or heap memory. Applications become vulnerable when deserialization features such as UNWRAP_SINGLE_VALUE_ARRAYS are enabled, which causes Jackson to unwrap arrays around scalar bean values. An attacker who can submit JSON input to such an endpoint can craft payloads with thousands of nested arrays. The result is a StackOverflowError or out-of-memory condition that terminates request processing and may crash the application thread.

Root Cause

The root cause is the absence of a recursion depth check in the array deserialization path. The fix introduced in version 2.13.4 adds an explicit guard in BeanDeserializer._deserializeFromArray() that rejects input exceeding the maximum nesting depth before stack exhaustion occurs.

Attack Vector

Exploitation requires network access to an HTTP or messaging endpoint that deserializes attacker-controlled JSON using jackson-databind with vulnerable deserialization features enabled. No authentication or user interaction is required. The attacker submits a JSON document with deeply nested array structures wrapping a value targeted for bean deserialization.

#3582: Add check in `BeanDeserializer._deserializeFromArray()` to prevent
+  use of deeply nested arrays

Source: GitHub Jackson Databind Commit 0631835 - This release note entry documents the addition of the nesting depth check that resolves the vulnerability.

     * values to the corresponding value type.  This is basically the opposite of the {@link #ACCEPT_SINGLE_VALUE_AS_ARRAY}
     * feature.  If more than one value is found in the array, a JsonMappingException is thrown.
     * <p>
+     * NOTE: only <b>single</b> wrapper Array is allowed: if multiple attempted, exception
+     * will be thrown.
     * 
-     * Feature is disabled by default
+     * Feature is disabled by default.
     * @since 2.4
     */
    UNWRAP_SINGLE_VALUE_ARRAYS(false),

Source: GitHub Jackson Databind Commit 0631835 - The patch clarifies that only a single wrapper array is permitted when UNWRAP_SINGLE_VALUE_ARRAYS is enabled, blocking the nested-array abuse pattern.

Detection Methods for CVE-2022-42004

Indicators of Compromise

• Inbound HTTP requests containing JSON payloads with abnormally deep array nesting (hundreds or thousands of [ characters in sequence).
• Application logs reporting java.lang.StackOverflowError originating from com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeFromArray.
• Unexpected JVM OutOfMemoryError events correlated with request processing threads.
• Crashes or restarts of services exposing JSON APIs backed by jackson-databind versions before 2.13.4.

Detection Strategies

• Inventory application dependencies using Software Composition Analysis (SCA) tools to identify jackson-databind versions earlier than 2.13.4.
• Inspect Jackson ObjectMapper configurations for enabled features such as UNWRAP_SINGLE_VALUE_ARRAYS that expose the vulnerable code path.
• Monitor application stack traces for repeated recursive frames in BeanDeserializer during JSON parsing.

Monitoring Recommendations

• Configure Web Application Firewall (WAF) rules to flag JSON payloads exceeding a reasonable nesting depth threshold.
• Forward JVM error logs to a centralized logging platform and alert on stack overflow exceptions in deserialization paths.
• Track CPU and memory spikes on services that accept untrusted JSON to identify resource exhaustion attempts.

How to Mitigate CVE-2022-42004

Immediate Actions Required

• Upgrade jackson-databind to version 2.13.4 or later across all applications and transitive dependencies.
• Apply vendor patches for downstream products: Debian DSA-5283, Gentoo GLSA 202210-21, and NetApp advisory NTAP-20221118-0008.
• Audit ObjectMapper configurations and disable deserialization features that are not required, particularly UNWRAP_SINGLE_VALUE_ARRAYS.

Patch Information

The fix is committed in GitHub Jackson Databind Commit 0631835 and shipped in jackson-databind 2.13.4. Distribution-specific updates are available via the Debian DSA-5283 Security Announcement, Debian LTS Security Announcement, Gentoo GLSA 202210-21, and NetApp Security Advisory NTAP-20221118-0008. Technical context is documented in GitHub Jackson Databind Issue #3582.

Workarounds

• Place a reverse proxy or API gateway in front of vulnerable services to reject JSON payloads exceeding a defined size or nesting depth.
• Disable UNWRAP_SINGLE_VALUE_ARRAYS and similar customized deserialization features when not strictly required.
• Apply request body size limits at the application server level to constrain attacker payload size.

# Maven dependency upgrade example
mvn versions:use-dep-version \
  -Dincludes=com.fasterxml.jackson.core:jackson-databind \
  -DdepVersion=2.13.4 \
  -DforceVersion=true