Primary

Context

Jackson Core and Jackson Databind Stack Overflow Vulnerability Due to Deeply Nested Data

Vulnerability

A vulnerability in Jackson Core prior to version 2.15.0 allows for a StackOverflowError to be thrown when parsing deeply nested data. This issue arises because the parser does not have a limit on how deep it can traverse, leading to stack overflow in cases of excessive nesting. Jackson Databind, which relies on Jackson Core for JSON parsing, is also affected. The vulnerability can be exploited by parsing untrusted input files with complex nested structures.

Impact

Exploitation of this vulnerability can lead to a StackOverflowError, causing a denial of service by crashing the application.

Remediation

Users can upgrade to Jackson Core version 2.15.0 or later, which introduces a configurable limit on nesting depth, defaulting to 1000. Jackson Databind users should also upgrade to versions that include this fix.

Added: Jun 25, 2025, 5:42 PM

Updated: Jun 25, 2025, 5:42 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jackson Core and Jackson Databind Stack Overflow Vulnerability Due to Deeply Nested Data

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating