OSV-2025-638

Import Source

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/https://github.com/allegro/json-avro-converter/OSV-2025-638.yaml

JSON Data

https://api.osv.dev/v1/vulns/OSV-2025-638

Published

2025-08-17T00:01:49.946822Z

Modified

2025-08-17T14:48:59.288257Z

Summary

Security exception in com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deser

Details

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=438873397

Crash type: Security exception
Crash state:
com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deser
com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.mapOb
com.fasterxml.jackson.core.json.UTF8StreamJsonParser.findName

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=438873397

Affected packages

OSS-Fuzz / json2avro

Package

Name: json2avro
Purl: pkg:generic/json2avro

Affected ranges

Type: GIT
Repo: https://github.com/allegro/json-avro-converter/
Events: Introduced

2973d1546d9e4590f54a029db483d6d8abde808d

Fixed

ad871e8a497003a90da1ff523b18d96e4afbf5c7

Introduced

d92a3390a6213b1caf4b11e26f923bd6501ffb92

Ecosystem specific

{
    "severity": "LOW"
}

Database specific

{
    "fixed_range": "2973d1546d9e4590f54a029db483d6d8abde808d:ad871e8a497003a90da1ff523b18d96e4afbf5c7",
    "introduced_range": "unknown:2973d1546d9e4590f54a029db483d6d8abde808d"
}