{"id":"CVE-2022-42004","details":"In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.","aliases":["GHSA-rgv9-q543-rqg4"],"modified":"2026-04-11T17:20:30.496682Z","published":"2022-10-02T05:15:09.237Z","related":["CGA-g8r9-2x26-qc63","MGASA-2024-0069","SUSE-SU-2022:3995-1","openSUSE-SU-2024:12412-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"10.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"11.0"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202210-21"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221118-0008/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5283"},{"type":"REPORT","url":"https://github.com/FasterXML/jackson-databind/issues/3582"},{"type":"FIX","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fasterxml/jackson-databind","events":[{"introduced":"0"},{"fixed":"ea6f3d4b05dde564a1a5013dd34467d676072afa"},{"fixed":"70c5dfbd52410d99d36181072711125ac5240a15"},{"introduced":"70c5dfbd52410d99d36181072711125ac5240a15"},{"fixed":"13cd41d616022f63a0af38db2389de52199cf62c"},{"fixed":"063183589218fec19a9293ed2f17ec53ea80ba88"}],"database_specific":{"cpe":["cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*","cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"fixed":"2.12.7.1"},{"fixed":"2.13.0"},{"introduced":"2.13.0"},{"fixed":"2.13.4"}],"source":["CPE_FIELD","REFERENCES"]}}],"versions":["2.2.0c","2.6.0-rc3b","jackson-databind-2.0.0","jackson-databind-2.0.0-RC1","jackson-databind-2.0.0-RC2","jackson-databind-2.0.0-RC3","jackson-databind-2.0.1","jackson-databind-2.0.2","jackson-databind-2.1.0","jackson-databind-2.1.1","jackson-databind-2.10.0","jackson-databind-2.10.0.pr1","jackson-databind-2.10.0.pr2","jackson-databind-2.10.0.pr3","jackson-databind-2.11.0","jackson-databind-2.11.0.rc1","jackson-databind-2.12.0","jackson-databind-2.12.0-rc1","jackson-databind-2.12.0-rc2","jackson-databind-2.12.1","jackson-databind-2.12.2","jackson-databind-2.12.3","jackson-databind-2.12.4","jackson-databind-2.12.5","jackson-databind-2.12.6","jackson-databind-2.12.6.1","jackson-databind-2.12.7","jackson-databind-2.13.0","jackson-databind-2.13.0-rc1","jackson-databind-2.13.0-rc2","jackson-databind-2.13.1","jackson-databind-2.13.2","jackson-databind-2.13.2.1","jackson-databind-2.13.2.2","jackson-databind-2.13.3","jackson-databind-2.2.0","jackson-databind-2.2.1","jackson-databind-2.2.2","jackson-databind-2.3.0","jackson-databind-2.3.0-rc1","jackson-databind-2.3.1","jackson-databind-2.4.0","jackson-databind-2.4.0-rc1","jackson-databind-2.4.0-rc2","jackson-databind-2.4.0-rc3","jackson-databind-2.4.1","jackson-databind-2.4.1.1","jackson-databind-2.4.1.2","jackson-databind-2.4.1.3","jackson-databind-2.5.0","jackson-databind-2.5.0-rc1","jackson-databind-2.6.0","jackson-databind-2.6.0-rc1","jackson-databind-2.6.0-rc4","jackson-databind-2.6.1","jackson-databind-2.7.0","jackson-databind-2.7.0-rc1","jackson-databind-2.7.0-rc2","jackson-databind-2.7.0-rc3","jackson-databind-2.7.1","jackson-databind-2.7.1-1","jackson-databind-2.8.0","jackson-databind-2.8.1","jackson-databind-2.8.2","jackson-databind-2.9.0","jackson-databind-2.9.0.pr1","jackson-databind-2.9.0.pr2","jackson-databind-2.9.0.pr3","jackson-databind-2.9.0.pr4","jackson-databind-2.9.1","jackson-databind-2.9.3","jackson-databind-2.9.4","jackson-databind-2.9.5","jackson-databind-2.9.6"],"database_specific":{"vanir_signatures":[{"digest":{"length":185,"function_hash":"41769431809239043105801363456361677444"},"target":{"file":"src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java","function":"testArrayWrapping"},"source":"https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88","signature_version":"v1","id":"CVE-2022-42004-177dace2","signature_type":"Function","deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["196164083740776567542182345255946541246","10894080426655518553889929861642900518","285497585603973688824816331635642080195","262177914682987543292938895227102793127","298595790872575652501042383929196324002","241994611638143361585567038240044388292","117393818864618325195207991637520669061","116477719100725734768123961861805342497"]},"target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java"},"source":"https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88","signature_version":"v1","id":"CVE-2022-42004-b1166048","signature_type":"Line","deprecated":false},{"digest":{"length":1020,"function_hash":"187973000674063989520344797230644815276"},"target":{"file":"src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java","function":"_deserializeFromArray"},"source":"https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88","signature_version":"v1","id":"CVE-2022-42004-c3275b0f","signature_type":"Function","deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["245221408806661661172976987552565576740","115491996422398475562653924543632969622","197858643989875646646709426998135342701","114682010537655789279734069001341491122","243574317414497553732521057942017015043","210943436520935603188072514743451616414","147521676498244637025003553143775234557","96474537145626447436069197675871989278","204985837386903992552570727398208016156","113606183479390725392659529307859487808"]},"target":{"file":"src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java"},"source":"https://github.com/fasterxml/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88","signature_version":"v1","id":"CVE-2022-42004-e3af9805","signature_type":"Line","deprecated":false}],"vanir_signatures_modified":"2026-04-11T17:20:30Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-42004.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}