CVE-2026-29062
Received Received - Intake
Excessive JSON Nesting DoS in jackson-core Parsers

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29062
EUVD
EUVD-2026-10018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fasterxml jackson-core From 3.0.0 (inc) to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29062 is a high-severity vulnerability in the jackson-core library, specifically in the UTF8DataInputJsonParser component used for parsing JSON from a java.io.DataInput source. The vulnerability allows JSON documents with excessively deep nesting to bypass the maximum nesting depth constraint (default 500) defined in StreamReadConstraints.

Because of this bypass, processing such deeply nested JSON can cause a StackOverflowError, leading to a Denial of Service (DoS) condition by exhausting system resources.

The issue was fixed in version 3.1.0 by adding missing checks to enforce the maximum nesting depth limit in all relevant parsing paths, preventing the bypass.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) on systems using vulnerable versions of jackson-core (3.0.0 to before 3.1.0).

By supplying a JSON document with excessive nesting, the attacker can trigger a StackOverflowError during JSON parsing, which can crash or destabilize your application or service.

Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant risk to availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing whether the jackson-core JSON parser enforces the maximum nesting depth constraint when parsing JSON data from a java.io.DataInput source. Specifically, you can attempt to parse a JSON document with excessive nesting (e.g., nesting depth greater than 500) and observe if a StackOverflowError or denial of service occurs.

A practical detection method is to run a test similar to the one implemented in the DeeplyNestedContentViaDataInputTest unit test, which attempts to parse JSON data with a nesting depth of 5000 using a DataInputStream. If the parser does not throw a StreamConstraintsException or otherwise enforce the max nesting depth, the system is vulnerable.

While no specific commands are provided in the resources, you can create a test program or script that uses jackson-core version 3.0.x to parse deeply nested JSON input and monitor for crashes or exceptions indicating the vulnerability.

Mitigation Strategies

The primary and recommended mitigation is to upgrade jackson-core to version 3.1.0 or later, where the vulnerability has been patched by enforcing the maximum nesting depth constraint properly.

As a workaround, avoid parsing JSON inputs from untrusted or potentially malicious sources that could contain excessively nested JSON structures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart