We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-52999

jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data



Description

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Reserved 2025-06-24 | Published 2025-06-25 | Updated 2025-06-25 | Assigner GitHub_M


HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-121: Stack-based Buffer Overflow

Product status

< 2.15.0
affected

References

github.com/...n-core/security/advisories/GHSA-h46c-h94j-95f3

github.com/FasterXML/jackson-core/pull/943

cve.org (CVE-2025-52999)

nvd.nist.gov (CVE-2025-52999)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-52999

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.