Skip to main content

Jackson Core

1 CVEs product

Monthly

CVE-2026-29062 Maven HIGH PATCH This Week

Uncontrolled-recursion denial of service in FasterXML jackson-core 3.0.0 through 3.0.x lets a remote attacker crash JSON-processing services by submitting a deeply nested JSON document. The UTF8DataInputJsonParser (DataInput sources) and ReaderBasedJsonParser fail to enforce the StreamReadConstraints maxNestingDepth limit (default 500), so excessive nesting drives a StackOverflowError. No public exploit identified at time of analysis and EPSS is low (0.06%), but the bug is trivially triggerable against any service that parses untrusted JSON with these parsers; fixed in 3.1.0.

Denial Of Service Jackson Core
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Uncontrolled-recursion denial of service in FasterXML jackson-core 3.0.0 through 3.0.x lets a remote attacker crash JSON-processing services by submitting a deeply nested JSON document. The UTF8DataInputJsonParser (DataInput sources) and ReaderBasedJsonParser fail to enforce the StreamReadConstraints maxNestingDepth limit (default 500), so excessive nesting drives a StackOverflowError. No public exploit identified at time of analysis and EPSS is low (0.06%), but the bug is trivially triggerable against any service that parses untrusted JSON with these parsers; fixed in 3.1.0.

Denial Of Service Jackson Core
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy