The vulnerability stems from how JacksonJsonpInterceptor handles JSONP responses. JSONP relies on a callback parameter to wrap JSON data into a function call. The interceptor's aroundWriteTo method processes this callback parameter but fails to sanitize it, allowing malicious input. This lack of sanitization enables attackers to supply a harmful callback value that gets directly embedded into the response. When a victim's browser executes this response as a script (via <script> tag inclusion), the attacker's code runs in the victim's context, leading to data exfiltration or session hijacking. The CWE-79 classification confirms this is an XSS-related input sanitization flaw, and the advisory explicitly implicates JacksonJsonpInterceptor as the vulnerable component.