CVE-2026-29062
Excessive JSON Nesting DoS in jackson-core Parsers
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fasterxml | jackson-core | From 3.0.0 (inc) to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29062 is a high-severity vulnerability in the jackson-core library, specifically in the UTF8DataInputJsonParser component used for parsing JSON from a java.io.DataInput source. The vulnerability allows JSON documents with excessively deep nesting to bypass the maximum nesting depth constraint (default 500) defined in StreamReadConstraints.
Because of this bypass, processing such deeply nested JSON can cause a StackOverflowError, leading to a Denial of Service (DoS) condition by exhausting system resources.
The issue was fixed in version 3.1.0 by adding missing checks to enforce the maximum nesting depth limit in all relevant parsing paths, preventing the bypass.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) on systems using vulnerable versions of jackson-core (3.0.0 to before 3.1.0).
By supplying a JSON document with excessive nesting, the attacker can trigger a StackOverflowError during JSON parsing, which can crash or destabilize your application or service.
Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant risk to availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether the jackson-core JSON parser enforces the maximum nesting depth constraint when parsing JSON data from a java.io.DataInput source. Specifically, you can attempt to parse a JSON document with excessive nesting (e.g., nesting depth greater than 500) and observe if a StackOverflowError or denial of service occurs.
A practical detection method is to run a test similar to the one implemented in the DeeplyNestedContentViaDataInputTest unit test, which attempts to parse JSON data with a nesting depth of 5000 using a DataInputStream. If the parser does not throw a StreamConstraintsException or otherwise enforce the max nesting depth, the system is vulnerable.
While no specific commands are provided in the resources, you can create a test program or script that uses jackson-core version 3.0.x to parse deeply nested JSON input and monitor for crashes or exceptions indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade jackson-core to version 3.1.0 or later, where the vulnerability has been patched by enforcing the maximum nesting depth constraint properly.
As a workaround, avoid parsing JSON inputs from untrusted or potentially malicious sources that could contain excessively nested JSON structures.