CVE-2025-49128 is a medium-severity vulnerability in the jackson-core library, a widely used JSON processing component in Java applications. The flaw exists in versions from 2.0.0 up to but not including 2.13.0, specifically in the JsonLocation._appendSourceDesc method. When jackson-core parses JSON from a byte array with an offset and length, the exception message generation incorrectly reads from the start of the entire byte array rather than the logical start of the JSON payload. This causes up to 500 bytes of unintended memory content to be included in exception messages. Such memory content can contain sensitive information, especially in environments that reuse or pool buffers, such as Netty or Vert.x frameworks. This vulnerability is categorized under CWE-209, which involves generation of error messages containing sensitive information. The issue was silently fixed in version 2.13.0 released on September 30, 2021. The vulnerability does not require authentication or user interaction to be triggered and has a CVSS score of 4.0, indicating a medium severity primarily due to confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild. The vulnerability can lead to unintended information disclosure through error messages returned by applications using vulnerable jackson-core versions, potentially leaking sensitive data from memory buffers to clients or logs. Mitigations include upgrading to jackson-core 2.13.0 or later, disabling exception message exposure to clients, or disabling source inclusion in exceptions to prevent embedding source content in error messages.

For European organizations, this vulnerability poses a risk of sensitive data leakage through error messages generated by applications using vulnerable jackson-core versions. Since jackson-core is a core JSON processing library used in many Java-based enterprise applications and middleware, the exposure could include confidential information such as authentication tokens, personal data, or internal system details if buffer contents contain such data. This can lead to violations of data protection regulations such as GDPR, resulting in legal and reputational consequences. The impact is heightened in environments using buffer pooling or reuse (e.g., Netty, Vert.x), common in high-performance or cloud-native applications. Although the vulnerability does not allow code execution or system compromise, the confidentiality breach can aid attackers in reconnaissance or further attacks. European organizations relying on Java microservices, APIs, or web applications that utilize jackson-core versions prior to 2.13.0 should consider this a significant risk vector for information disclosure.

1. Immediate upgrade of jackson-core to version 2.13.0 or later is the most effective mitigation. This version contains a silent fix for the vulnerability. 2. If upgrading is not feasible immediately, configure applications to disable exception message exposure to end clients, especially in HTTP responses, to prevent leaking sensitive buffer content. 3. Disable source inclusion in exception messages within jackson-core configurations to avoid embedding any source content in error messages. 4. Review and audit logging configurations to ensure that exception messages containing sensitive data are not logged or are properly sanitized. 5. Conduct code reviews and penetration tests focusing on error handling and message exposure in applications using jackson-core. 6. For organizations using frameworks like Netty or Vert.x, assess buffer reuse policies and consider isolating or zeroing buffers before reuse to minimize sensitive data exposure. 7. Implement monitoring to detect unusual error message patterns or information leakage attempts.