Skip to content

fix(deps): bump Jackson to 2.22.0 to address CVE-2026-54513#2556

Open
phipag wants to merge 1 commit into
mainfrom
fix/jackson-cve-2026-54513
Open

fix(deps): bump Jackson to 2.22.0 to address CVE-2026-54513#2556
phipag wants to merge 1 commit into
mainfrom
fix/jackson-cve-2026-54513

Conversation

@phipag

@phipag phipag commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Changes

Bumps Jackson to 2.22.0 across the project to fix CVE-2026-54513, an
array subtype allowlist bypass in BasicPolymorphicTypeValidator. The
root jackson.version was 2.21.2, which falls in the affected range
(>= 2.19.0, < 2.21.4). 2.22.0 is the newest 2.x release and targets Java
8 bytecode, so it stays compatible with our Java 11 baseline.

Updated three locations:

  • pom.xml: jackson.version 2.21.2 to 2.22.0 (drives the Jackson BOM
    that all modules inherit)
  • examples/powertools-examples-kafka/tools/pom.xml: pinned
    jackson-databind 2.19.0 to 2.22.0
  • examples/powertools-examples-core-utilities/gradle/build.gradle:
    jackson-annotations, jackson-databind, and jackson-datatype-jsr310
    2.13.2 to 2.22.0

Issue number: #2544


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:

  • ❌ 601 vulnerable package(s)
  • ❌ 516 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 493 package(s) with unknown licenses.

View full job summary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

Maintenance: Using vulnerable jackson-databind version

1 participant