Jackson Release 3.1.4

Patch version of 3.1, released on May 29, 2026.

Following fixes are included in this patch release.

Changes, core

Streaming

• #1611: Apply number-length validator on streaming integer path of async parser

Databind

• #5950: Improve UUIDDeserializer error handling
• #5951: Improve InetSocketAddress deserialization [CVE-2026-54514]
• #5956: Fix problem with float-to-byte range check
• #5957: Improve java.time.Month deserialization validation by enforcing DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS check
• #5962: Case-insensitive deserialization may use wrong @JsonIgnoreProperties [CVE-2026-54515]
• #5967: Renamed @JsonIgnored setters can deserialize via private fields [CVE-2026-54516]
• #5969: @JsonView by-passed for some "setterless" creator properties [CVE-2026-54517]
• #5971: @JsonView by-passed for unwrapped creator parameters
• #5974: @JsonIgnore on Record property ignored with PropertyNamingStrategy
• #5981: BasicPolymorphicTypeValidator setting allowIfSubTypeIsArray() should validate element type [CVE-2026-54513]
• #5988: PolymorphicTypeValidator needs to validate generic type parameters too [CVE-2026-54512]
• #5993: UPPER_SNAKE_CASE / LOWER_CASE NamingStrategyImpls fold case using JVM default locale (Turkish-I bug)
• #6001: Regression with custom @JsonUnwrapped deserializer from 3.0 to 3.1
• #6011: Add MapperFeature.FIX_FIELD_NAME_UPPER_CASE_PREFIX in MapperBuilder.configureForJackson2()

Changes, data formats

Avro

• #693: Incomplete number length validation in Avro decoder (for BigDecimal)

CBOR

• #691: Add parameterized tests covering all ASCII-optimization exit paths in CBORParser

Ion

• #696: Incomplete number length validation in Ion decoder (for BigDecimal and/or BigInteger)

XML

• #863: Fix to support Woodstox 7.2.0 (but no dep version bump)

YAML

• #680: Restore validateIntegerLength() check in _decodeBigInt