CVE-2026-29062

Name of the Vulnerable Software and Affected Versions jackson-core versions 3.0.0 through 3.0.x

Description jackson-core contains core low-level incremental ("streaming") parser and generator abstractions. The UTF8DataInputJsonParser and ReaderBasedJsonParser bypass the maxNestingDepth constraint defined in StreamReadConstraints. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). The maxNestingDepth constraint has a default value of 500. The issue was addressed by adding a check that throws a StreamConstraintsException if the limit is reached.

Recommendations jackson-core versions 3.0.0 through 3.0.x should be upgraded to version 3.1.0 or later.