Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This vulnerability occurs when the UTF8DataInputJsonParser component in jackson-core bypasses the configured maximum nesting depth (default 500). An attacker can supply a JSON document with arbitrarily deep nesting, causing the parser to recurse until a StackOverflowError occurs. The resulting exception can crash the application, leading to a denial of service. The underlying weakness matches the CWE identifiers for resource exhaustion and out‑of‑bounds logic.

Affected Systems

FasterXML’s jackson-core library, versions 3.0.0 through 3.0.x (any patch release prior to 3.1.0), is affected. The issue was resolved in release 3.1.0, so any deployment using a pre‑3.1.0 jar is vulnerable. Applications that embed jackson-core directly or via dependency chains may be impacted.

Risk and Exploitability

The CVSS base score of 8.7 classifies this as a high‑severity weakness. The EPSS indicates a probability of exploitation below 1 %, suggesting that while the flaw is unlikely to be commonly exploited, it remains a serious risk in targeted or high‑value scenarios. The vulnerability is not listed in the KEV catalog, so no known widespread active exploitation is reported. Based on the description, it is inferred that an attacker can trigger the DoS by sending a deeply nested JSON payload to any component that employs the unpatched parser, typically via exposed web services or file input endpoints.

Generated by OpenCVE AI on April 16, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jackson-core to version 3.1.0 or newer.
  • If an immediate upgrade is not possible, configure a stricter maxNestingDepth in StreamReadConstraints or validate JSON structure before parsing to limit nesting.
  • Audit all transitive dependencies that bring in jackson-core and ensure they are updated to a patched version.
  • Add monitoring for stack overflow exceptions and rapid restarts; alert on repeated occurrences.
  • Where feasible, isolate vulnerable services behind network segmentation or firewall rules to limit exposure to untrusted input.

Generated by OpenCVE AI on April 16, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6v53-7c9g-w56r jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
History

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml jackson-core
CPEs cpe:2.3:a:fasterxml:jackson-core:*:*:*:*:*:*:*:*
Vendors & Products Fasterxml jackson-core

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 07 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson
Vendors & Products Fasterxml
Fasterxml jackson

Fri, 06 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
Title jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Fasterxml Jackson Jackson-core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:02:33.039Z

Reserved: 2026-03-03T17:50:11.245Z

Link: CVE-2026-29062

cve-icon Vulnrichment

Updated: 2026-03-09T20:02:28.930Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T08:16:26.603

Modified: 2026-03-10T19:05:19.067

Link: CVE-2026-29062

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T07:14:25Z

Links: CVE-2026-29062 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses