CVE-2025-52999
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-25

Last updated on: 2025-06-26

Assigner: GitHub, Inc.

Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-25
Last Modified
2025-06-26
Generated
2026-05-07
AI Q&A
2025-06-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52999
EUVD
EUVD-2025-28482
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in jackson-core versions prior to 2.15.0, where parsing JSON input files with very deeply nested data structures can cause a StackoverflowError due to excessive recursion depth. The parser did not limit how deep it would traverse nested JSON, leading to potential crashes. The issue was fixed in version 2.15.0 by adding a configurable maximum nesting depth limit (default 1000). If this limit is exceeded, jackson-core throws a StreamConstraintsException instead of crashing. [1]


How can this vulnerability impact me? :

If you parse JSON input files with very deeply nested structures using vulnerable versions of jackson-core, your application could crash due to a StackoverflowError. This can lead to denial of service or instability in your system. The vulnerability can be exploited by sending maliciously crafted JSON inputs with excessive nesting depth. Using jackson-core 2.15.0 or later mitigates this by enforcing a nesting depth limit and throwing an exception instead of crashing. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for errors related to JSON parsing of deeply nested input files, specifically looking for StackoverflowError or StreamConstraintsException in logs when processing JSON data with jackson-core versions prior to 2.15.0. Since the issue arises from parsing deeply nested JSON, you can test by attempting to parse JSON files with nesting depth greater than 1000 and observe if a StackoverflowError occurs (indicating vulnerable versions) or a StreamConstraintsException is thrown (indicating patched versions). There are no specific network commands provided, but you can use application-level logging and JSON parsing tests to detect the issue. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading jackson-core to version 2.15.0 or later, which introduces a configurable maximum nesting depth limit (default 1000) to prevent stack overflow errors. Additionally, avoid parsing JSON input files from untrusted sources to reduce risk. If upgrading is not immediately possible, implement input validation to reject or limit deeply nested JSON structures before parsing. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart