Jackson Databind, a core component of the Jackson library, processes JSON into in-memory tree structures. In versions 2.13.0 up to, but not including, 2.14.0, an attacker can craft JSON with thousands of nested levels. When the application reads this deeply nested JSON into a JsonNode via ObjectMapper.readTree() and later serialises it back to a string using JsonNode.toString(), the library recurses through the nested structure without proper depth checks. This recursion can exhaust call stack space or consume excessive CPU and memory, potentially causing a StackOverflowError or severe resource exhaustion. The flaw is categorized as a CWE‑400: Uncontrolled Resource Consumption, resulting in a denial‑of‑service condition for the affected process.

The affected software is FasterXML’s Jackson Databind library, specifically releases from version 2.13.0 up to, but not including, 2.14.0. Systems that incorporate these library versions and use readTree() to parse external JSON—such as web APIs, configuration loaders, or message consumers—are vulnerable. Updating to any version starting with 2.14.0, where the fix is applied, removes the vulnerability.

The CVSS base score is 6.3, indicating a moderate severity denial‑of‑service situation. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs to send a crafted request containing a deeply nested payload to trigger the issue; it is inferred that authentication is not required, based on the description, and the exploit can be performed over any network interface that accepts JSON input. In environments with high request volumes, concurrency can amplify the resource drain, potentially bringing services to a halt. Therefore, while the risk is moderate, the potential impact on availability warrants immediate attention.