📂 Vulnerable Library - jackson-dataformat-yaml-2.14.2.jar
Support for reading and writing YAML-encoded data via Jackson abstractions.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.14.2/jackson-dataformat-yaml-2.14.2.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2022-1471 |
🔴 High |
8.3 |
Functional |
93.8% |
snakeyaml-1.33.jar |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2025-52999 |
🔴 High |
7.5 |
Not Defined |
< 1% |
jackson-core-2.14.2.jar |
Transitive |
N/A |
❌ |
Reachable |
| WS-2022-0468 |
🔴 High |
7.5 |
N/A |
N/A |
jackson-core-2.14.2.jar |
Transitive |
N/A |
❌ |
Reachable |
| WS-2026-0003 |
🔴 High |
7.5 |
N/A |
N/A |
jackson-core-2.14.2.jar |
Transitive |
N/A |
❌ |
Reachable |
Details
🔴CVE-2022-1471
Vulnerable Library - snakeyaml-1.33.jar
YAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar
Dependency Hierarchy:
- jackson-dataformat-yaml-2.14.2.jar (Root Library)
- ❌ snakeyaml-1.33.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.houarizegai.calculator.theme.ThemeLoader (Application)
- com.fasterxml.jackson.dataformat.yaml.YAMLFactory (Extension)
- com.fasterxml.jackson.dataformat.yaml.YAMLParser (Extension)
- org.yaml.snakeyaml.parser.ParserImpl (Extension)
-> ❌ org.yaml.snakeyaml.parser.ParserImpl$ParseFlowSequenceFirstEntry (Vulnerable Component)
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: Dec 01, 2022 10:47 AM
URL: CVE-2022-1471
Threat Assessment
Exploit Maturity:Functional
EPSS:93.8%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: Dec 01, 2022 10:47 AM
Fix Resolution : org.yaml:snakeyaml:2.0
🔴CVE-2025-52999
Vulnerable Library - jackson-core-2.14.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
Dependency Hierarchy:
- jackson-dataformat-yaml-2.14.2.jar (Root Library)
- jackson-databind-2.14.2.jar
- ❌ jackson-core-2.14.2.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.houarizegai.calculator.theme.ThemeLoader (Application)
- com.fasterxml.jackson.databind.ObjectMapper (Extension)
- com.fasterxml.jackson.core.exc.StreamReadException (Extension)
-> ❌ com.fasterxml.jackson.core.base.ParserBase (Vulnerable Component)
Vulnerability Details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Publish Date: Jun 25, 2025 05:02 PM
URL: CVE-2025-52999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-core@54f78a9
Release Date: Jun 25, 2025 05:02 PM
Fix Resolution : https://github.com/FasterXML/jackson-core.git - jackson-core-2.15.0,com.fasterxml.jackson.core:jackson-core:2.15.0
🔴WS-2022-0468
Vulnerable Library - jackson-core-2.14.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
Dependency Hierarchy:
- jackson-dataformat-yaml-2.14.2.jar (Root Library)
- jackson-databind-2.14.2.jar
- ❌ jackson-core-2.14.2.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.houarizegai.calculator.theme.ThemeLoader (Application)
- com.fasterxml.jackson.databind.ObjectMapper (Extension)
-> ❌ com.fasterxml.jackson.core.JsonFactory (Vulnerable Component)
Vulnerability Details
The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.
Publish Date: Dec 07, 2022 10:00 PM
URL: WS-2022-0468
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-core#861
Release Date: Dec 07, 2022 10:00 PM
Fix Resolution : com.fasterxml.jackson.core:jackson-core:2.15.0
🔴WS-2026-0003
Vulnerable Library - jackson-core-2.14.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
Dependency Hierarchy:
- jackson-dataformat-yaml-2.14.2.jar (Root Library)
- jackson-databind-2.14.2.jar
- ❌ jackson-core-2.14.2.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.houarizegai.calculator.theme.ThemeLoader (Application)
- com.fasterxml.jackson.databind.ObjectMapper (Extension)
- com.fasterxml.jackson.databind.ObjectReader (Extension)
-> ❌ com.fasterxml.jackson.core.JsonPointer (Vulnerable Component)
Vulnerability Details
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).
The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.
Publish Date: Mar 02, 2026 10:00 PM
URL: WS-2026-0003
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-72hv-8253-57qq
Release Date: Mar 02, 2026 10:00 PM
Fix Resolution : com.fasterxml.jackson.core:jackson-core:2.18.6,https://github.com/FasterXML/jackson-core.git - jackson-core-2.21.1,https://github.com/FasterXML/jackson-core.git - jackson-core-2.18.6,tools.jackson.core:jackson-core:3.1.0,https://github.com/FasterXML/jackson-core.git - jackson-core-3.1.0
📂 Vulnerable Library - jackson-dataformat-yaml-2.14.2.jar
Support for reading and writing YAML-encoded data via Jackson abstractions.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.14.2/jackson-dataformat-yaml-2.14.2.jar
Findings
Details
🔴CVE-2022-1471
Vulnerable Library - snakeyaml-1.33.jar
YAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: Dec 01, 2022 10:47 AM
URL: CVE-2022-1471
Threat Assessment
Exploit Maturity:Functional
EPSS:93.8%
Score: 8.3
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: Dec 01, 2022 10:47 AM
Fix Resolution : org.yaml:snakeyaml:2.0
🔴CVE-2025-52999
Vulnerable Library - jackson-core-2.14.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Publish Date: Jun 25, 2025 05:02 PM
URL: CVE-2025-52999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-core@54f78a9
Release Date: Jun 25, 2025 05:02 PM
Fix Resolution : https://github.com/FasterXML/jackson-core.git - jackson-core-2.15.0,com.fasterxml.jackson.core:jackson-core:2.15.0
🔴WS-2022-0468
Vulnerable Library - jackson-core-2.14.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.
Publish Date: Dec 07, 2022 10:00 PM
URL: WS-2022-0468
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-core#861
Release Date: Dec 07, 2022 10:00 PM
Fix Resolution : com.fasterxml.jackson.core:jackson-core:2.15.0
🔴WS-2026-0003
Vulnerable Library - jackson-core-2.14.2.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).
The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.
Publish Date: Mar 02, 2026 10:00 PM
URL: WS-2026-0003
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-72hv-8253-57qq
Release Date: Mar 02, 2026 10:00 PM
Fix Resolution : com.fasterxml.jackson.core:jackson-core:2.18.6,https://github.com/FasterXML/jackson-core.git - jackson-core-2.21.1,https://github.com/FasterXML/jackson-core.git - jackson-core-2.18.6,tools.jackson.core:jackson-core:3.1.0,https://github.com/FasterXML/jackson-core.git - jackson-core-3.1.0