Kafka Connect: GHSA-72hv-8253-57qq in com.fasterxml.jackson.core:jackson-core (shaded in parquet-jackson)

[rmoff]

Note

This analysis was performed with the assistance of Claude Opus 4.6 (Anthropic).

Summary

The Kafka Connect runtime distribution includes parquet-jackson-1.17.0.jar which shades com.fasterxml.jackson.core:jackson-core:2.19.2. This version is affected by GHSA-72hv-8253-57qq (HIGH severity).

The vulnerability is in the non-blocking (async) JSON parser, which bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion (DoS).

Note: Iceberg's own direct jackson-core dependency is already at 2.21.1 (fixed). This issue is specifically about the shaded copy inside parquet-jackson.

Reproducing

Build the Kafka Connect runtime distribution and scan with Trivy:

# Build from main
./gradlew :iceberg-kafka-connect:iceberg-kafka-connect-runtime:distZip -x test -x integrationTest

# Unzip the distribution
unzip -q kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip -d /tmp/iceberg-kc-scan

# Scan with Trivy (use rootfs mode for standalone JAR detection)
trivy rootfs /tmp/iceberg-kc-scan/iceberg-kafka-connect-runtime-*/lib/ -s HIGH,CRITICAL --scanners vuln

Trivy output (relevant finding):

parquet-jackson-1.17.0.jar (jar)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────┬─────────────────────┬──────────┬──────────┬───────────────────────┬───────────────┐
│               Library                │    Vulnerability    │ Severity │ Version  │    Fixed Version      │     Title     │
├──────────────────────────────────────┼─────────────────────┼──────────┼──────────┼───────────────────────┼───────────────┤
│ com.fasterxml.jackson.core:          │ GHSA-72hv-8253-57qq │   HIGH   │  2.19.2  │ 2.18.6, 2.21.1, 3.1.0│ jackson-core: │
│ jackson-core                         │                     │          │          │                       │ Number Length │
│                                      │                     │          │          │                       │ Constraint    │
│                                      │                     │          │          │                       │ Bypass ...    │
└──────────────────────────────────────┴─────────────────────┴──────────┴──────────┴───────────────────────┴───────────────┘

Analysis

The vulnerable jackson-core:2.19.2 is shaded inside parquet-jackson-1.17.0.jar. This means it cannot be fixed by overriding the jackson-core version in Iceberg's dependency management — it requires an upstream Parquet release with an updated shaded jackson-core.

Dependency chain

parquet-jackson:1.17.0 (containing shaded jackson-core:2.19.2) is pulled in transitively by:

• iceberg-parquet → parquet-hadoop:1.17.0 → parquet-jackson:1.17.0

Upstream tracking

• parquet-java issue: apache/parquet-java#3410 — filed March 2, 2026, no response yet
• Latest parquet-java release is 1.17.0 (January 13, 2026), which predates this advisory (February 28, 2026)

Blocked on

• A new parquet-java release that bumps the shaded jackson-core to >= 2.21.1

References

• Advisory: GHSA-72hv-8253-57qq
• Upstream fix PR: Enforce StreamReadConstraints.maxNumberLength for non-blocking (async) parser FasterXML/jackson-core#1555
• Parquet tracking issue: parquet-jackson being flagged as vulnerable parquet-java#3410

[viv1]

Hi @rmoff , checking if there is an ETA for releasing the new version with the jackson vulnerability sorted ? Thanks

[rmoff]

@viv1 if I understand it correctly, this is waiting on a new release of parquet-java (apache/parquet-java#3410)

[viv1]

Thanks @rmoff , I clearly missed the blocker message. I'll check on that other thread.

[rmoff]

Update: The upstream fix is done, thanks @manuzhang (apache/parquet-java#3460 bumped jackson from 2.19.2 to 2.21.2 and was merged on April 2nd, closing apache/parquet-java#3410).

However, there's no parquet-java release containing the fix yet (latest is still 1.17.0). There's an open question about whether a 1.17.1 will be cut soon, but no response yet.

This issue remains blocked until a new parquet-java release is available for Iceberg to consume.

[manuzhang]

Fixed by #16257