Jackson Core Max Nesting Depth Constraint Bypass Vulnerability in JSON Parsers Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Jackson Core versions 3.0.0 prior to 3.1.0. The issue arises in the UTF8DataInputJsonParser and ReaderBasedJsonParser, where the parsers bypass the maximum nesting depth constraint defined in StreamReadConstraints. This flaw allows a user to supply a JSON document with excessive nesting, which can lead to a StackOverflowError when processed, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability can lead to a StackOverflowError, causing a denial-of-service condition by exhausting resources and potentially crashing the application.

Reproduction

The vulnerability can be reproduced by using a JSON document that has a nesting depth greater than 500. This can be done by creating a JSON file with deeply nested arrays or objects and then parsing it with the UTF8DataInputJsonParser or ReaderBasedJsonParser.

Remediation

Users are advised to upgrade to Jackson Core version 3.1.0, where this vulnerability has been patched. Instructions for upgrading can be found in the Jackson Core repository on GitHub.