{"id":"CVE-2025-52999","summary":"jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data","details":"jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.","aliases":["GHSA-h46c-h94j-95f3"],"modified":"2026-04-10T05:30:22.592792Z","published":"2025-06-25T17:02:57.428Z","related":["ALSA-2025:12280","ALSA-2025:14126","CGA-9pcx-w2wh-fhx8"],"database_specific":{"cwe_ids":["CWE-121"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52999.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52999.json"},{"type":"ADVISORY","url":"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52999"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-core/pull/943"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fasterxml/jackson-core","events":[{"introduced":"0"},{"fixed":"a2c0bdcfb9aae8fca555240e63e57c1d9e6f8079"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.15.0"}]}}],"versions":["jackson-core-2.0.0","jackson-core-2.0.1","jackson-core-2.0.2","jackson-core-2.10.0","jackson-core-2.10.0.pr1","jackson-core-2.10.0.pr2","jackson-core-2.10.0.pr3","jackson-core-2.11.0","jackson-core-2.11.0.rc1","jackson-core-2.12.0","jackson-core-2.12.0-rc1","jackson-core-2.12.0-rc2","jackson-core-2.12.1","jackson-core-2.13.0","jackson-core-2.13.0-rc1","jackson-core-2.13.0-rc2","jackson-core-2.14.0","jackson-core-2.14.0-rc1","jackson-core-2.14.0-rc2","jackson-core-2.14.0-rc3","jackson-core-2.15.0-rc1","jackson-core-2.15.0-rc2","jackson-core-2.15.0-rc3","jackson-core-2.2.0-rc1","jackson-core-2.2.0b","jackson-core-2.2.1","jackson-core-2.2.2","jackson-core-2.3.0","jackson-core-2.3.0-rc1","jackson-core-2.4.0","jackson-core-2.4.0-rc1","jackson-core-2.4.0-rc2","jackson-core-2.4.0-rc3","jackson-core-2.4.1","jackson-core-2.4.1.1","jackson-core-2.5.0","jackson-core-2.5.0-rc1","jackson-core-2.6.0","jackson-core-2.6.0-rc1","jackson-core-2.6.0-rc2","jackson-core-2.6.0-rc3","jackson-core-2.6.0-rc4","jackson-core-2.6.1","jackson-core-2.7.0","jackson-core-2.7.0-rc1","jackson-core-2.7.0-rc2","jackson-core-2.7.0-rc3","jackson-core-2.7.1","jackson-core-2.7.2","jackson-core-2.7.3","jackson-core-2.7.3b","jackson-core-2.8.0","jackson-core-2.8.1","jackson-core-2.8.2","jackson-core-2.9.0","jackson-core-2.9.0.pr1","jackson-core-2.9.0.pr2","jackson-core-2.9.0.pr3","jackson-core-2.9.0.pr4","jackson-core-2.9.1","jackson-core-2.9.2","jackson-core-2.9.3","jackson-core-2.9.4","jackson-core-2.9.5","jackson-core-2.9.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}