CVE-2022-42004 Overview
CVE-2022-42004 is an insecure deserialization vulnerability in FasterXML jackson-databind before version 2.13.4. The vulnerability enables resource exhaustion attacks due to a missing check in BeanDeserializer._deserializeFromArray() that fails to prevent the processing of deeply nested arrays. Applications are vulnerable when using certain customized deserialization configurations, particularly when UNWRAP_SINGLE_VALUE_ARRAYS is enabled.
Jackson-databind is one of the most widely used JSON processing libraries in the Java ecosystem, making this vulnerability significant for enterprise applications, microservices, and cloud-native deployments that rely on JSON data binding.
Critical Impact
Attackers can cause denial of service through resource exhaustion by sending maliciously crafted JSON payloads containing deeply nested arrays, potentially crashing Java applications or consuming excessive system resources.
Affected Products
- FasterXML jackson-databind (versions before 2.12.7.1 and 2.13.x before 2.13.4)
- Quarkus (versions utilizing vulnerable jackson-databind)
- Debian Linux 10.0 and 11.0
- NetApp OnCommand Workflow Automation
Discovery Timeline
- 2022-10-02 - CVE-2022-42004 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-42004
Vulnerability Analysis
This vulnerability exists in the Jackson-databind library's array deserialization handling. When processing JSON input, the BeanDeserializer._deserializeFromArray() method lacked proper depth validation for nested array structures. This omission allows an attacker to craft JSON payloads with excessively deep array nesting that consumes stack space and memory during deserialization.
The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which represents a critical class of vulnerabilities where applications fail to properly validate serialized data before processing it.
Applications become vulnerable when they enable the UNWRAP_SINGLE_VALUE_ARRAYS deserialization feature, which allows Jackson to unwrap single-element arrays into their contained values. Without proper depth checks, recursive processing of nested arrays can exhaust available resources.
Root Cause
The root cause is the absence of a nesting depth check in BeanDeserializer._deserializeFromArray(). When the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled, Jackson attempts to recursively unwrap nested arrays without tracking or limiting the recursion depth. An attacker can exploit this by constructing a JSON payload with thousands of nested array levels, causing stack overflow or memory exhaustion.
The security patch adds explicit documentation and enforcement that only a single wrapper array is allowed:
* values to the corresponding value type. This is basically the opposite of the {@link #ACCEPT_SINGLE_VALUE_AS_ARRAY}
* feature. If more than one value is found in the array, a JsonMappingException is thrown.
* <p>
+ * NOTE: only <b>single</b> wrapper Array is allowed: if multiple attempted, exception
+ * will be thrown.
*
- * Feature is disabled by default
+ * Feature is disabled by default.
* @since 2.4
*/
UNWRAP_SINGLE_VALUE_ARRAYS(false),
Source: GitHub Jackson Databind Commit
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can send a crafted HTTP request containing a JSON payload with deeply nested arrays to any endpoint that deserializes JSON using a vulnerable jackson-databind configuration.
The attack payload would consist of a JSON structure containing thousands of nested empty arrays, such as [[[[[[...]]]]]], which forces the deserializer into deep recursion. When processed by a vulnerable application with UNWRAP_SINGLE_VALUE_ARRAYS enabled, this causes resource exhaustion leading to denial of service.
#3565: `Arrays.asList()` value deserialization has changed from mutable to
immutable in 2.13
(reported by JonasWilms@github)
+#3582: Add check in `BeanDeserializer._deserializeFromArray()` to prevent
+ use of deeply nested arrays
2.13.3 (14-May-2022)
Source: GitHub Jackson Databind Commit
Detection Methods for CVE-2022-42004
Indicators of Compromise
- Unusual spikes in memory consumption by Java application processes during JSON parsing operations
- Stack overflow exceptions or OutOfMemoryError entries in application logs associated with Jackson deserialization
- Repeated application crashes or restarts coinciding with incoming API requests containing large JSON payloads
- Network traffic containing abnormally large JSON payloads with repetitive array bracket patterns
Detection Strategies
- Implement application performance monitoring to detect sudden increases in CPU or memory usage during request processing
- Deploy web application firewalls (WAF) with rules to detect and block JSON payloads exceeding reasonable nesting depths
- Use dependency scanning tools to identify applications running vulnerable jackson-databind versions (before 2.12.7.1 or 2.13.x before 2.13.4)
- Monitor JVM metrics for stack depth anomalies and garbage collection pressure during JSON deserialization
Monitoring Recommendations
- Configure alerting for Java applications experiencing repeated StackOverflowError or OutOfMemoryError exceptions
- Implement request payload size limits and JSON parsing timeouts at the API gateway level
- Enable verbose logging for Jackson deserialization operations in development and staging environments
- Use SentinelOne Singularity Platform to monitor for resource exhaustion patterns indicative of DoS attacks targeting deserialization
How to Mitigate CVE-2022-42004
Immediate Actions Required
- Upgrade jackson-databind to version 2.13.4 or later immediately for all affected applications
- For applications using jackson-databind 2.12.x, upgrade to version 2.12.7.1 or later
- Audit application configurations to identify usage of UNWRAP_SINGLE_VALUE_ARRAYS deserialization feature
- Implement input validation to reject JSON payloads with excessive nesting depth before deserialization
Patch Information
FasterXML has released patched versions addressing this vulnerability. The fix adds proper depth checking in BeanDeserializer._deserializeFromArray() to prevent processing of deeply nested arrays. Upgrade to the following versions:
- jackson-databind 2.13.4 or later for the 2.13.x branch
- jackson-databind 2.12.7.1 or later for the 2.12.x branch
The patch is available in the GitHub Jackson Databind Commit. Additional security advisories are available from Debian Security Advisory DSA-5283, Gentoo GLSA 202210-21, and NetApp Security Advisory NTAP-20221118-0008.
Workarounds
- Disable UNWRAP_SINGLE_VALUE_ARRAYS feature if not strictly required by application logic
- Implement a custom JsonDeserializer with explicit depth tracking to reject overly nested structures
- Deploy API gateway rules to validate and limit JSON nesting depth before requests reach the application
- Use a JSON schema validator to enforce maximum nesting depth constraints on incoming payloads
# Maven dependency update example
# Update pom.xml to use patched jackson-databind version
mvn versions:use-latest-versions -Dincludes=com.fasterxml.jackson.core:jackson-databind
# Verify current jackson-databind version in your project
mvn dependency:tree | grep jackson-databind
# Force update to specific patched version
mvn versions:set-property -Dproperty=jackson.version -DnewVersion=2.13.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
