The Docusign-esign-java libary released a new version (6.7.0) last on 7/1/2026; however, it still uses a version of com.fasterxml.jackson.core (2.17.1) that has a vulnerability (CVE GHSA-72hv-8253-57qq). This vulnerability was fixed in version 2.18.6 and 2.21.1. When can we expect docusign-esign-java to be updated to use a jackson.core version with the fix?
This is the entry in my pom.xml
<dependency>
<groupId>com.docusign</groupId>
<artifactId>docusign-esign-java</artifactId>
<version>6.7.0</version>
<classifier>shaded</classifier>
</dependency>
If I remove the shaded classifier then the application throws an error (java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/util/ISO8601DateFormat) when it tries to create a com.docusign.esign.client.ApiClient
Question
Vulnerability in docusign-esign-java
Sign up
Already have an account? Login
You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.
Customer Login/Registration Developer Login/RegistrationDocusign Community
No account yet? Create an account
You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.
Customer Login/Registration Developer Login/RegistrationEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Back to Docusign.com

