SDL Web 8.5, with at least the cumulative hotfix
CD_8.5.0.8740 in place, gets the Jackson Databind library updated to version 2.9.4. One can self service updates to this library with patch versions for the 2.9.x branch as needed.
The Jackson Databind versions for 2.9.x have had several vulnerabilities including the last version 2.9.10. This is shown here
CVE-2019-16943.Jackson Databind 2.10.x is the more stable version but is a minor version update with many breaking changes for
SDL Web 8.5 and cannot be self updated.