CVE-2025-52999 Information

Description

jackson-core contains core low-level incremental (\streaming) parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0 if a user parses an input file and it has deeply nested data Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround users should avoid parsing input files from untrusted sources.

Reference

https://github.com/FasterXML/jackson-core/pull/943 https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3

Related CNNVD

CNNVD-202506-3167 (Published: 2025-06-25)