PT-2025-26867 · Unknown+7 · Jackson-Core+7
Pjfanning
·
Published
2025-06-06
·
Updated
2026-05-18
·
CVE-2025-52999
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
jackson-core versions prior to 2.15.0
Description:
The issue arises when parsing input files with deeply nested data, potentially causing a StackoverflowError due to excessive depth. A configurable limit for traversal depth has been introduced, defaulting to 1000, to prevent this error. If the limit is reached, a StreamConstraintsException is thrown. Users should avoid parsing input files from untrusted sources as a workaround.
Recommendations:
For versions prior to 2.15.0, update to version 2.15.0 or later to include the configurable depth limit and prevent StackoverflowError.
As a temporary workaround, consider avoiding the parsing of deeply nested input files from untrusted sources until the update is applied.
Exploit
Fix
DoS
Generation of Error Message Containing Sensitive Information
Allocation of Resources Without Limits
Stack Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Almalinux
Bitbucket
Centos
Debian
Red Hat
Red Os
Rocky Linux
Jackson-Core