Jackson Core 3.x does not consistently enforce StreamReadConstraints.maxDocumentLength. Oversized JSON documents can be accepted without a StreamConstraintsException in multiple parser entry points, which allows configured size limits to be bypassed and weakens denial-of-service protections.
Three code paths where maxDocumentLength is not fully enforced:
Blocking parsers validate only previously processed buffers, not the final in-memory buffer:
ReaderBasedJsonParser.java:255UTF8StreamJsonParser.java:208Relevant code:
_currInputProcessed += bufSize;
_streamReadConstraints.validateDocumentLength(_currInputProcessed);
This means the check occurs only when a completed buffer is rolled over. If an oversized document is fully contained in the final buffer, parsing can complete without any document-length exception.
Async parsers validate previously processed chunks, but do not validate the final chunk on end-of-input:
NonBlockingByteArrayJsonParser.java:49NonBlockingByteBufferJsonParser.java:57NonBlockingUtf8JsonParserBase.java:75Relevant code:
_currInputProcessed += _origBufferLen;
_streamReadConstraints.validateDocumentLength(_currInputProcessed);
public void endOfInput() {
_endOfInput = true;
}
endOfInput() marks EOF but does not perform a final validateDocumentLength(...) call, so an oversized last chunk is accepted.
maxDocumentLength at allJsonFactory.java:457Relevant construction path:
int firstByte = ByteSourceJsonBootstrapper.skipUTF8BOM(input);
return new UTF8DataInputJsonParser(readCtxt, ioCtxt,
readCtxt.getStreamReadFeatures(_streamReadFeatures),
readCtxt.getFormatReadFeatures(_formatReadFeatures),
input, can, firstByte);
```...
3.1.1Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H