Which jackson-databind version correctly depends on jackson-core 2.15.0+ to fix SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754? #5339

MahogaWeerasinghe · 2025-10-10T04:00:10Z

MahogaWeerasinghe
Oct 10, 2025

Hello Jackson team,

We're using jackson-databind 2.19.1, which appears to have a transitive dependency on the vulnerable jackson-core 2.14.3 instead of a fixed version (2.15.0+).

So which version of jackson-databind properly depends on jackson-core 2.15.0 or later?

Vulnerability Report: https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754

cowtowncoder · 2025-10-10T04:56:39Z

cowtowncoder
Oct 10, 2025
Maintainer

jackson-databind 2.19.1 definitely does not depend on 2.14.3 of jackson-core but 2.19.1: versions of databind and core should always much wrt minor version at least.
In fact 2.19 databind is unlikely to work with 2.14 of jackson-core.

So I suggest you first figure out how to use matching jackson-core version.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Which jackson-databind version correctly depends on jackson-core 2.15.0+ to fix SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754? #5339

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Which jackson-databind version correctly depends on jackson-core 2.15.0+ to fix SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754? #5339

Uh oh!

MahogaWeerasinghe Oct 10, 2025

Replies: 1 comment

Uh oh!

Uh oh!

cowtowncoder Oct 10, 2025 Maintainer

MahogaWeerasinghe
Oct 10, 2025

cowtowncoder
Oct 10, 2025
Maintainer