Visit NES for Jackson Home Page
Jackson Core Release Notes
2 versions
Comprehensive release notes and changelog for Jackson Core, detailing HeroDevs-provided security patches across all supported versions.
March 2026
2.13.7
Released on Mar 3, 2026 Full Version:
2.13.5-jackson-core-2.13.7
Bug Fixes
This release patches the following:
- GHSA-72hv-8253-57qq: Number Length Constraint Bypass in Async Parser
- The default maximum length of a numeric value is 1000 to prevent potential denial-of-service attacks.
- JsonFactory builder has streamReadConstraints for configuring the max number length.
- Possible Breaking Change: Applications that rely on number lengths >=1000 will need to increase the maximum allowed length.
Dependency Upgrades
- Jackson BOM (NES)
2.13.5-jackson-bom-2.13.7
September 2025
2.13.6
Released on Sep 25, 2025 Full Version:
2.13.5-jackson-core-2.13.6
Notes
- This release originates from the open‑source jackson-core project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
Bug Fixes
This release patches the following:
- CVE-2025-52999: Nested data handling flaw in Jackson Core
- The default maximum nesting level is 1000 to prevent potential denial-of-service attacks.
- JsonFactory builder has streamReadConstraints for configuring the max nesting level.
- Possible Breaking Change: Applications that rely on specific nested data structures >=1000 will need to increase the maximum allowed nesting level.
Dependency Updates
- Jackson BOM (NES)
2.13.5-jackson-bom-2.13.6
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh