Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Jackson 2.15.4 (was 2.14.3) #12440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mkurz wants to merge 1 commit into from
Closed

Jackson 2.15.4 (was 2.14.3) #12440

mkurz wants to merge 1 commit into from

Conversation

@mkurz
Copy link
Member

@mkurz mkurz commented Feb 29, 2024

Step by step.

Akka bumped already, seems everything went smoothly:

Upgrade to 2.16 will be done in:

@mkurz mkurz mentioned this pull request Feb 29, 2024
Closed
@PromanSEW
Copy link
Contributor

PromanSEW commented Feb 29, 2024

Can fix playframework/play-ebean#423 and unblock playframework/play-ebean#438

@mkurz
Copy link
Member Author

mkurz commented Feb 29, 2024

Will investigate later...

play.api.data.FormUtilsSpec

[info] FormUtils.fromJson should
...
[error]   ! not stack overflow when converting heavily nested arrays (15 ms)
[error]    com.fasterxml.jackson.core.exc.StreamConstraintsException: Depth (1001) exceeds the maximum allowed nesting depth (1000) (StreamReadConstraints.java:261)
[error] com.fasterxml.jackson.core.StreamReadConstraints.validateNestingDepth(StreamReadConstraints.java:261)
[error] com.fasterxml.jackson.core.base.ParserBase.createChildArrayContext(ParserBase.java:1320)
[error] com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:755)
[error] play.api.libs.json.jackson.JsValueDeserializer.deserialize(JacksonJson.scala:240)
[error] play.api.libs.json.jackson.JsValueDeserializer.deserialize(JacksonJson.scala:158)
[error] play.api.libs.json.jackson.JsValueDeserializer.deserialize(JacksonJson.scala:153)
[error] com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
[error] com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4801)
[error] com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2974)
[error] play.api.libs.json.jackson.JacksonJson.parseJsValue(JacksonJson.scala:296)
[error] play.api.libs.json.StaticBinding$.parseJsValue(StaticBinding.scala:17)
[error] play.api.libs.json.Json$.parse(Json.scala:175)
[error] play.api.data.FormUtilsSpec.$anonfun$new$5(FormUtilsSpec.scala:60)

play.it.http.parsing.JacksonJsonBodyParserSpec

[info] JacksonJsonBodyParserSpec
[info] The JSON body parser should
...
[error]   ! parse very deep JSON bodies (62 ms)
[error]    java.util.NoSuchElementException: No value present (JacksonJsonBodyParserSpec.scala:76)
[error] play.it.http.parsing.JacksonJsonBodyParserSpec$$anon$3.running(JacksonJsonBodyParserSpec.scala:76)
[error] play.api.test.AroundHelper.$anonfun$around$1(Specs.scala:78)
[error] play.api.test.WithApplication.$anonfun$wrap$2(Specs.scala:133)
[error] play.api.test.PlayRunners.$anonfun$running$2(Helpers.scala:86)
[error] play.api.test.PlayRunners.runSynchronized(Helpers.scala:61)
[error] play.api.test.PlayRunners.runSynchronized$(Helpers.scala:55)
[error] play.api.test.Helpers$.runSynchronized(Helpers.scala:788)
[error] play.api.test.PlayRunners.running(Helpers.scala:84)
[error] play.api.test.PlayRunners.running$(Helpers.scala:82)
[error] play.api.test.Helpers$.running(Helpers.scala:788)
[error] play.api.test.WithApplication.wrap(Specs.scala:133)
[error] play.api.test.AroundHelper.around(Specs.scala:78)
[error] play.api.test.AroundHelper.delayedInit(Specs.scala:24)
[error] play.api.test.AroundHelper.<init>(Specs.scala:24)
[error] play.api.test.WithApplication.<init>(Specs.scala:124)
[error] play.it.http.parsing.JacksonJsonBodyParserSpec$$anon$3.<init>(JacksonJsonBodyParserSpec.scala:72)
[error] play.it.http.parsing.JacksonJsonBodyParserSpec.$anonfun$new$4(JacksonJsonBodyParserSpec.scala:72)

@mkurz mkurz mentioned this pull request May 6, 2024
Merged
@mkurz
Copy link
Member Author

mkurz commented May 7, 2024

Also nightly test fail because they use pekko snapshots which already upgraded jackson:
https://github.com/playframework/playframework/actions/workflows/build-test.yml?query=event%3Aschedule

@pjfanning
Copy link
Contributor

pjfanning commented Jul 8, 2024

The equivalent upgrade in Pekko - apache/pekko#564

Also linking playframework/play-json#1055

@pjfanning
Copy link
Contributor

pjfanning commented Jul 9, 2024

Will investigate later...

play.api.data.FormUtilsSpec

[info] FormUtils.fromJson should
...
[error]   ! not stack overflow when converting heavily nested arrays (15 ms)
[error]    com.fasterxml.jackson.core.exc.StreamConstraintsException: Depth (1001) exceeds the maximum allowed nesting depth (1000) (StreamReadConstraints.java:261)
[error] com.fasterxml.jackson.core.StreamReadConstraints.validateNestingDepth(StreamReadConstraints.java:261)
[error] com.fasterxml.jackson.core.base.ParserBase.createChildArrayContext(ParserBase.java:1320)
[error] com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:755)
[error] play.api.libs.json.jackson.JsValueDeserializer.deserialize(JacksonJson.scala:240)
[error] play.api.libs.json.jackson.JsValueDeserializer.deserialize(JacksonJson.scala:158)
[error] play.api.libs.json.jackson.JsValueDeserializer.deserialize(JacksonJson.scala:153)
[error] com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
[error] com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4801)
[error] com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2974)
[error] play.api.libs.json.jackson.JacksonJson.parseJsValue(JacksonJson.scala:296)
[error] play.api.libs.json.StaticBinding$.parseJsValue(StaticBinding.scala:17)
[error] play.api.libs.json.Json$.parse(Json.scala:175)
[error] play.api.data.FormUtilsSpec.$anonfun$new$5(FormUtilsSpec.scala:60)

play.it.http.parsing.JacksonJsonBodyParserSpec

[info] JacksonJsonBodyParserSpec
[info] The JSON body parser should
...
[error]   ! parse very deep JSON bodies (62 ms)
[error]    java.util.NoSuchElementException: No value present (JacksonJsonBodyParserSpec.scala:76)
[error] play.it.http.parsing.JacksonJsonBodyParserSpec$$anon$3.running(JacksonJsonBodyParserSpec.scala:76)
[error] play.api.test.AroundHelper.$anonfun$around$1(Specs.scala:78)
[error] play.api.test.WithApplication.$anonfun$wrap$2(Specs.scala:133)
[error] play.api.test.PlayRunners.$anonfun$running$2(Helpers.scala:86)
[error] play.api.test.PlayRunners.runSynchronized(Helpers.scala:61)
[error] play.api.test.PlayRunners.runSynchronized$(Helpers.scala:55)
[error] play.api.test.Helpers$.runSynchronized(Helpers.scala:788)
[error] play.api.test.PlayRunners.running(Helpers.scala:84)
[error] play.api.test.PlayRunners.running$(Helpers.scala:82)
[error] play.api.test.Helpers$.running(Helpers.scala:788)
[error] play.api.test.WithApplication.wrap(Specs.scala:133)
[error] play.api.test.AroundHelper.around(Specs.scala:78)
[error] play.api.test.AroundHelper.delayedInit(Specs.scala:24)
[error] play.api.test.AroundHelper.<init>(Specs.scala:24)
[error] play.api.test.WithApplication.<init>(Specs.scala:124)
[error] play.it.http.parsing.JacksonJsonBodyParserSpec$$anon$3.<init>(JacksonJsonBodyParserSpec.scala:72)
[error] play.it.http.parsing.JacksonJsonBodyParserSpec.$anonfun$new$4(JacksonJsonBodyParserSpec.scala:72)

Jackson now has a default max depth of 1000.

https://www.javadoc.io/doc/com.fasterxml.jackson.core/jackson-core/latest/com/fasterxml/jackson/core/StreamReadConstraints.html#DEFAULT_MAX_DEPTH

apache/pekko#564 supports a config that lets users override this max depth.

@mkurz would you be interested in supporting a similar set of configs in Play?

This was referenced Aug 8, 2024
Merged
Merged
@LAKSHMIRPILLAI LAKSHMIRPILLAI mentioned this pull request Aug 15, 2024
Merged
@johnduffell johnduffell mentioned this pull request Aug 20, 2024
Merged
@mkurz mkurz mentioned this pull request Aug 26, 2024
Merged
ioannakok added a commit to guardian/frontend that referenced this pull request Aug 27, 2024
@ioannakok @mkurz
Exclude Jackson Core From logstash-logback-encoder
118464c 
In order to avoid conflicts with Play's Jackson dependency and fix error:

```
com.fasterxml.jackson.databind.JsonMappingException: Scala module 2.14.3 requires Jackson Databind version >= 2.14.0 and < 2.15.0 - Found jackson-databind version 2.17.2
```

Play needs to adjust some code for its next major release to correctly support Jackson 2,17, see: playframework/playframework#12440

Co-authored-by: Matthias Kurz <[email protected]>
@mkurz mkurz mentioned this pull request Nov 14, 2024
Closed
@mkurz mkurz mentioned this pull request Mar 17, 2025
Closed
6 tasks
@alok1111
Copy link

alok1111 commented Jun 27, 2025

Hello @mkurz,
The 2.14.3 version contains 2 High severity vulnerabilities. Do you have plans to merge this in the near future?
Maybe you have any recommendations for those who would like to get rid of them faster?
We are on Play 2.9.x.

@mcavigelli
Copy link

mcavigelli commented Jul 10, 2025

Maybe you have any recommendations for those who would like to get rid of them faster?

I think you can override the jackson dependencies in the following way in your build.sbt file:

libraryDependencies += "com.fasterxml.jackson.core" % "jackson-databind" % "2.19.1"
libraryDependencies += "com.fasterxml.jackson.dataformat" % "jackson-dataformat-cbor" % "2.19.1"
libraryDependencies += "com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % "2.19.1"
libraryDependencies += "com.fasterxml.jackson.datatype" % "jackson-datatype-jsr310" % "2.19.1"
libraryDependencies += "com.fasterxml.jackson.module" % "jackson-module-parameter-names" % "2.19.1"
libraryDependencies += "com.fasterxml.jackson.module" % "jackson-module-scala_2.13" % "2.19.1"

After a reload, the output of

sbt evicted

should contain following lines

* com.fasterxml.jackson.core:jackson-annotations:2.19.1 is selected over {2.14.3}
[info]      +- com.fasterxml.jackson.module:jackson-module-scala_2.13:2.19.1 (depends on 2.19.1)
[info]      +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.19.1 (depends on 2.19.1)
[info]      +- com.fasterxml.jackson.core:jackson-databind:2.19.1 (depends on 2.19.1)
[info]      +- org.playframework:play_2.13:3.0.8                  (depends on 2.14.3)
[info]      +- org.playframework:play-json_2.13:3.0.5             (depends on 2.14.3)
[info]      +- org.apache.pekko:pekko-serialization-jackson_2.13:1.0.3 (depends on 2.14.3)

@pjfanning
Copy link
Contributor

pjfanning commented Jul 10, 2025

I am a Jackson contributor. Neither of the 2 issues affect play/play-json.
CVE-2025-52999 is really a jackson-databind issue that was easier to fix by adding a feature in jackson-core. play/play-json do not use jackson-databind.
https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538 - this is BS, especially the claims about potential crashes and has been rejected by Jackson team. There is no CVE. There is no POC. play/play-json has its own check for numbers with lots of digits and this change means that play/play-json is not even affected by this issue.

@mkurz
Copy link
Member Author

mkurz commented Jul 11, 2025

https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538 - this is BS, especially the claims about potential crashes and has been rejected by Jackson team. There is no CVE. There is no POC. play/play-json has its own check for numbers with lots of digits and this change means that play/play-json is not even affected by this issue.

Here is another in-depth answer I gave a while ago regarding this "severity vulnerability".

@mkurz
Copy link
Member Author

mkurz commented Jul 11, 2025

Closing as this is part of

@mkurz mkurz closed this Jul 11, 2025
@mkurz mkurz deleted the jackson_2.15.4 branch July 11, 2025 14:46
@mkurz mkurz mentioned this pull request Oct 9, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mkurz @PromanSEW @pjfanning @alok1111 @mcavigelli