CVE-2026-29062
HIGH
GHSA-6v53-7c9g-w56r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
Analysis
Jackson Core versions 3.0.0 through 3.0.x fail to enforce maximum nesting depth limits in UTF8DataInputJsonParser and ReaderBasedJsonParser, allowing attackers to craft deeply nested JSON documents that trigger StackOverflowError and crash the application. This denial of service vulnerability affects any Java application using the vulnerable Jackson Core versions to parse untrusted JSON input. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and services using Jackson-core and identify those running affected versions (3.0.0 through 3.0.x). Within 7 days: Apply available patch to upgrade Jackson-core to version 3.1.0 or later across development, staging, and production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today