testing endor labs agenthq comment pr capability - adding com.fasterxml.jackson.core:jackson-databind@2.9.10 dependency

[endor-matt]

this PR is used to test endor labs agenthq comment pr capability

[endor-matt]

@endor-labs-github-agenthq[agent] tell me if this PR introduces any known vulnerabilities

[cp-endor]

@endor-labs-github-agenthq[agent] are there any know vulnerabilities or malware being introduced via this PR, give me list in priority order if any.

[cp-endor]

@endor-labs-github-agenthq[agent] are there any know vulnerabilities or malware being introduced via this PR, give me list in priority order if any.

[cp-endor]

@endor-labs-github-agenthq[agent] is this PR introducing any new vulnerability or malware ? if you find anything please comment in this thread with details.

[endor-labs-github-agenthq]

@endor-labs-github-agenthq[agent] is this PR introducing any new vulnerability or malware ? if you find anything please comment in this thread with details.

Yes — this PR introduces significant risk. Here's what Endor Labs found for com.fasterxml.jackson.core:jackson-databind@2.9.10:

---

🚨 Summary

	Result
Malware	✅ None detected
Vulnerabilities	❌ 43 known vulnerabilities
Latest safe version	2.21.3

---

Top Vulnerabilities (by severity/type)

🔴 Critical / High — Unsafe Deserialization (multiple CVEs)

The most severe issues are a large cluster of unsafe deserialization and serialization gadget vulnerabilities. These allow remote code execution (RCE) if an attacker can control the deserialized input and polymorphic type handling (enableDefaultTyping or @JsonTypeInfo) is in use.

Key advisories:

• GHSA-vfqx-33qm-g869 — Unsafe Deserialization in jackson-databind
• GHSA-r695-7vr9-jgc2 — Unsafe Deserialization in jackson-databind
• GHSA-wh8g-3j2c-rqj5 — Serialization gadgets exploit in jackson-databind
• GHSA-gww7-p5w4-wrfv — Deserialization of Untrusted Data in jackson-databind
• GHSA-p43x-xfjf-5jhr — Mishandled interaction between serialization gadgets and typing
• (…and many more in the same class)

Impact: Remote Code Execution (RCE) in applications that deserialize untrusted JSON with polymorphic typing enabled.

🟠 High — Uncontrolled Resource Consumption

• GHSA-jjjh-jjxp-wpff — Uncontrolled Resource Consumption in jackson-databind

Impact: Denial of Service (DoS) by sending crafted input that causes excessive memory or CPU usage.

---

Remediation

Upgrade to 2.21.3 (the latest version recommended by Endor Labs). This resolves all 43 known vulnerabilities in 2.9.10.

<!-- pom.xml -->
<dependency>
    <groupId>com.fasterxml.jackson.core</groupId>
    <artifactId>jackson-databind</artifactId>
    <version>2.21.3</version>
</dependency>

This PR should not be merged with jackson-databind@2.9.10. The version is severely out of date and exposes the application to critical RCE and DoS vulnerabilities.