Skip to content

bump jackson to 2.18.8 to address CVE-2026-54512 and CVE-2026-54513#455

Open
srprash wants to merge 1 commit into
masterfrom
bump-jackson-cve-fix
Open

bump jackson to 2.18.8 to address CVE-2026-54512 and CVE-2026-54513#455
srprash wants to merge 1 commit into
masterfrom
bump-jackson-cve-fix

Conversation

@srprash

@srprash srprash commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps com.fasterxml.jackson:jackson-bom and jackson-datatype from 2.18.6 to 2.18.8 in dependencyManagement.
  • Remediates two HIGH severity jackson-databind CVEs flagged by the daily dependency scan.

CVEs addressed

CVE Severity Title Fixed in
CVE-2026-54512 HIGH Arbitrary code execution via PolymorphicTypeValidator bypass 2.18.8
CVE-2026-54513 HIGH Security bypass allowing arbitrary code execution 2.18.8

Chose 2.18.8 (lowest patch in the existing 2.18.x line) to minimize regression risk.

Test plan

  • ./gradlew :aws-xray-recorder-sdk-core:dependencies resolves jackson-databind to 2.18.8
  • CI build + tests green

🤖 Generated with Claude Code

Bumps jackson-bom and jackson-datatype from 2.18.6 to 2.18.8 to remediate
two HIGH severity jackson-databind CVEs flagged by the daily dependency scan:
- CVE-2026-54512: arbitrary code execution via PolymorphicTypeValidator bypass
- CVE-2026-54513: security bypass allowing arbitrary code execution

Both are fixed in jackson-databind 2.18.8. Verified the dependency tree
resolves jackson-databind to 2.18.8.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@srprash srprash requested a review from a team as a code owner July 7, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant