| summary |
Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation
### Overview
A flaw in Jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible **information disclosure** in systems using **pooled or reused buffers**, like Netty or Vert.x.
### Details
The vulnerability affects the creation of exception messages like:
```
JsonParseException: Unexpected character ... at [Source: (byte[])...]
```
When `JsonFactory.createParser(byte[] data, int offset, int len)` is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method `_appendSourceDesc` ignores the `offset`, and always starts reading from index `0`.
If the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.
The issue particularly impacts server applications using:
* Pooled byte buffers (e.g., Netty)
* Frameworks that surface parse errors in HTTP responses
* Default Jackson settings (i.e., `INCLUDE_SOURCE_IN_LOCATION` is enabled)
A documented real-world example is [CVE-2021-22145](https://nvd.nist.gov/vuln/detail/CVE-2021-22145) in Elasticsearch, which stemmed from the same root cause.
### Attack Scenario
An attacker sends malformed JSON to a service using Jackson and pooled byte buffers (e.g., Netty-based HTTP servers). If the server reuses a buffer and includes the parser’s exception in its HTTP 400 response, the attacker may receive residual data from previous requests.
### Proof of Concept
```java
byte[] buffer = new byte[1000];
System.arraycopy("SECRET".getBytes(), 0, buffer, 0, 6);
System.arraycopy("{ \"bad\": }".getBytes(), 0, buffer, 700, 10);
JsonFactory factory = new JsonFactory();
JsonParser parser = factory.createParser(buffer, 700, 20);
parser.nextToken(); // throws exception
// Exception message will include "SECRET"
```
### Patches
This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via [PR #652](https://github.com/FasterXML/jackson-core/pull/652).
All users should upgrade to version 2.13.0 or later.
### Workarounds
If upgrading is not immediately possible, applications can mitigate the issue by:
1. **Disabling exception message exposure to clients** — avoid returning parsing exception messages in HTTP responses.
2. **Disabling source inclusion in exceptions** by setting:
```java
jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);
```
This prevents Jackson from embedding any source content in exception messages, avoiding leakage.
### References
* [Pull Request #652 (Fix implementation)](https://github.com/FasterXML/jackson-core/pull/652)
* [CVE-2021-22145 (Elasticsearch exposure of this flaw)](https://nvd.nist.gov/vuln/detail/CVE-2021-22145) |