Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the required non-default code path (readTree plus toString); only availability is impacted via uncontrolled StackOverflowError under concurrent load.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 7,599 maven packages depend on com.fasterxml.jackson.core:jackson-databind (2,127 direct, 5,567 indirect)
Ecosystem-wide dependent count for version 2.10.0.
DescriptionCVE.org
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
AnalysisAI
Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses two specific Jackson API calls in sequence on attacker-controlled input: ObjectMapper.readTree() to parse the JSON into a JsonNode tree, and JsonNode.toString() to serialize that node back to a string. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.3 (Medium) reflects the conditional nature of the attack: the AT:P (Attack Requirements: Present) metric captures the prerequisite that the target service must use the specific readTree() + toString() code path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a REST endpoint that accepts arbitrary JSON, internally processes it with ObjectMapper.readTree(), and emits the result or logs it via JsonNode.toString(). The attacker submits concurrent HTTP requests each carrying a ~2kB payload of approximately 1,000 levels of nested arrays. … |
| Remediation | Upgrade jackson-databind to version 2.14.0 or later, which replaces the recursive JsonNode serialization with an iterative implementation and fully resolves the vulnerability; this is confirmed by commit a1fa4ae4ecf5cee16da465985f135f3e81816f8c and the GHSA advisory at https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3wrr-7qpf-2prh. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jackson Databind
View allFasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38597
GHSA-3wrr-7qpf-2prh