Hi,
https://tika.apache.org/security-model.html
"The project does not view denial of service issues as security issues"
And we don't use async json parsing.
Nevertheless I've just updated that dependency and started a build.
As we've said before, that version isn't supported anymore, update to
the latest supported version which was released a few days ago.
Tilman
Am 26.03.2026 um 05:26 schrieb Saravanan Balakrishnan:
Hi Tika Team,
Our scan identifies below vulnerability on Tika 2.9.5 Snapshot build,
details are shown below,
/"WS-2026-0003 /
/The non-blocking (async) JSON parser in jackson-core bypasses the
maxNumberLength constraint (default: 1000 characters) defined in
StreamReadConstraints. This allows an attacker to send JSON with
arbitrarily long numbers through the async parser API, leading to
excessive memory allocation and potential CPU exhaustion, resulting in
a Denial of Service (DoS). The standard synchronous parser correctly
enforces this limit, but the async parser fails to do so, creating an
inconsistent enforcement policy. "/
Below is my analysis on this issue reported,
CVE-2025-52999 is associated to this and affected on prior to 2.15.0
release.
For 2.9.5 march build has 2.21.1,
<artifactId>jackson-core</artifactId>
<name>Jackson-core</name>
<version>2.21.1</version>
Kindly share your thoughts on this vulnerability that affects the Tika
2.9.5 March Snapshot build.
Thanks in advance.
Regards,
Saravanan B
