Skip to main content

jackson-databind EUVDEUVD-2026-38597

| CVE-2026-50193 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-23 security-advisories@github.com GHSA-3wrr-7qpf-2prh
6.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AC:H reflects the required non-default code path (readTree plus toString); only availability is impacted via uncontrolled StackOverflowError under concurrent load.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 21:32 vuln.today
Analysis Generated
Jun 23, 2026 - 21:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7,599 maven packages depend on com.fasterxml.jackson.core:jackson-databind (2,127 direct, 5,567 indirect)

Ecosystem-wide dependent count for version 2.10.0.

DescriptionCVE.org

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.

AnalysisAI

Uncontrolled resource consumption in jackson-databind 2.10.0 through 2.13.5 allows unauthenticated remote attackers to cause a Denial-of-Service by submitting small (~2kB), deeply nested JSON payloads that trigger a StackOverflowError when a service reads the input via ObjectMapper.readTree() and serializes the resulting JsonNode using JsonNode.toString(). The root cause is recursive serialization in the toString() call path, which was replaced with an iterative IteratorStack-based implementation in version 2.14.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify endpoint accepting arbitrary JSON
Delivery
Craft ~2kB payload with 1,000+ nested arrays
Exploit
Submit concurrent unauthenticated HTTP requests
Install
readTree() builds deeply nested JsonNode tree
C2
toString() triggers recursive per-level serialization
Execute
StackOverflowError exhausts processing thread
Impact
Service availability degraded under sustained load

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses two specific Jackson API calls in sequence on attacker-controlled input: ObjectMapper.readTree() to parse the JSON into a JsonNode tree, and JsonNode.toString() to serialize that node back to a string. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.3 (Medium) reflects the conditional nature of the attack: the AT:P (Attack Requirements: Present) metric captures the prerequisite that the target service must use the specific readTree() + toString() code path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a REST endpoint that accepts arbitrary JSON, internally processes it with ObjectMapper.readTree(), and emits the result or logs it via JsonNode.toString(). The attacker submits concurrent HTTP requests each carrying a ~2kB payload of approximately 1,000 levels of nested arrays. …
Remediation Upgrade jackson-databind to version 2.14.0 or later, which replaces the recursive JsonNode serialization with an iterative implementation and fully resolves the vulnerability; this is confirmed by commit a1fa4ae4ecf5cee16da465985f135f3e81816f8c and the GHSA advisory at https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3wrr-7qpf-2prh. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35491 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-35490 HIGH POC
8.1 Dec 17

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2022-42004 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeseriali

CVE-2022-42003 HIGH POC
7.5 Oct 02

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of

CVE-2019-12086 HIGH POC
7.5 May 17

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. Rated high severity (CVSS 7.5)

CVE-2020-9546 CRITICAL
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-11112 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

Share

EUVD-2026-38597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy