CVE-2023-35116 Overview
CVE-2023-35116 is a denial of service vulnerability affecting jackson-databind through version 2.15.2. The vulnerability allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies during serialization operations.
It is important to note that the vendor (FasterXML) disputes this vulnerability report, stating that the steps required to construct a cyclic data structure and attempt to serialize it cannot be achieved by an external attacker in typical usage scenarios. This makes the practical exploitability of this vulnerability highly dependent on application-specific implementation patterns.
Critical Impact
Applications using jackson-databind that serialize untrusted or user-controlled object graphs may be vulnerable to denial of service attacks through resource exhaustion when processing objects with cyclic dependencies.
Affected Products
- FasterXML jackson-databind versions through 2.15.2
Discovery Timeline
- June 14, 2023 - CVE CVE-2023-35116 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-35116
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue relates to how jackson-databind handles object serialization when encountering cyclic dependencies within data structures.
When a Java object graph contains circular references (where object A references object B, and object B references object A directly or indirectly), the serialization process can enter an infinite loop or consume excessive resources attempting to resolve these dependencies. Without proper cycle detection or depth limits, this can lead to stack overflow errors, memory exhaustion, or CPU resource consumption.
The vulnerability requires local access and specific conditions to exploit, as an attacker would need the ability to construct and inject a malicious object graph into the serialization path of the application. The vendor maintains that external attackers cannot typically achieve these prerequisites in real-world deployments.
Root Cause
The root cause stems from insufficient handling of cyclic object references during the serialization process. When jackson-databind attempts to serialize an object graph containing circular references without explicit cycle detection mechanisms enabled, it may recursively traverse the same objects indefinitely, leading to resource exhaustion.
Jackson-databind does provide mechanisms to handle cyclic dependencies (such as @JsonIdentityInfo annotations), but these must be explicitly configured by developers. The vulnerability manifests when such safeguards are not implemented and untrusted data structures are processed.
Attack Vector
The attack vector is local, requiring the attacker to have the ability to influence the object graph being serialized. This typically means the attacker needs access to:
- Application code that deserializes attacker-controlled input into Java objects
- A subsequent serialization step that processes these objects
- Object types that allow circular reference construction
The attack scenario involves crafting a data structure with cyclic dependencies that, when passed to jackson-databind's serialization methods, causes excessive resource consumption. For detailed technical discussion and vendor response, see the GitHub Issue Discussion.
Detection Methods for CVE-2023-35116
Indicators of Compromise
- Unusual CPU spikes during JSON serialization operations
- Stack overflow exceptions in application logs related to jackson-databind serialization
- Memory exhaustion or OutOfMemoryError exceptions during object serialization
- Application hangs or timeouts during serialization of user-provided data
Detection Strategies
- Monitor application logs for StackOverflowError or recursive serialization exceptions involving jackson-databind classes
- Implement application performance monitoring (APM) to detect abnormal resource consumption patterns during serialization
- Use static code analysis tools to identify jackson-databind usage without cycle detection configurations
- Review code for patterns where user-controlled data is deserialized and subsequently serialized
Monitoring Recommendations
- Set up alerts for unusual memory consumption patterns in applications using jackson-databind
- Monitor for repeated serialization timeouts or failures in API responses
- Track CPU utilization anomalies that correlate with JSON processing operations
How to Mitigate CVE-2023-35116
Immediate Actions Required
- Audit applications to identify where jackson-databind serializes potentially untrusted object graphs
- Implement @JsonIdentityInfo annotations on classes that may contain circular references
- Configure serialization depth limits where supported
- Review and restrict which object types can be serialized from user input
Patch Information
The vendor (FasterXML) has disputed this vulnerability, stating the attack scenario requires attacker control over object construction which is not typically achievable by external attackers. Organizations should evaluate their specific use cases to determine if their applications are at risk.
For the latest information and vendor guidance, consult the GitHub Issue Discussion.
Workarounds
- Enable cycle detection by annotating classes with @JsonIdentityInfo to handle circular references gracefully
- Implement custom serializers that include depth checking for complex object graphs
- Validate and sanitize input data before deserialization to prevent construction of malicious object structures
- Consider using ObjectMapper configurations that limit serialization depth or handle cycles explicitly
# Configuration example - verify jackson-databind version in Maven projects
mvn dependency:tree | grep jackson-databind
# Check for affected versions in Gradle projects
./gradlew dependencies | grep jackson-databind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
