Description
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jackson Databind, a core component of the Jackson library, processes JSON into in‑memory tree structures. In versions 2.13.0 up to, but not including, 2.14.0, an attacker can craft JSON with thousands of nested levels. When the application reads this deeply nested JSON into a JsonNode via ObjectMapper.readTree() and later serialises it back to a string using JsonNode.toString(), the library recurses through the nested structure, potentially exhausting call stack space or consuming excessive CPU and memory, which can trigger a StackOverflowError or severe resource exhaustion. The flaw is categorized as CWE‑1050, and results in a denial‑of‑service condition for the affected process.

Affected Systems

The affected software is FasterXML’s Jackson Databind library, specifically releases from version 2.13.0 up to, but not including, 2.14.0. Systems that incorporate these library versions and use readTree() to parse external JSON—such as web APIs, configuration loaders, or message consumers—are vulnerable. Updating to any version starting with 2.14.0, where the fix is applied, removes the vulnerability.

Risk and Exploitability

The CVSS base score is 6.3, indicating a moderate severity denial‑of‑service situation. The EPSS score of < 1% shows a very low but nonzero exploit probability, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs to send a crafted request containing a deeply nested payload to trigger the issue; it is inferred that authentication is not required, based on the description, and the exploit can be performed over any network interface that accepts JSON input. In environments with high request volumes, concurrency can amplify the resource drain, potentially bringing services to a halt. Therefore, while the risk is moderate, the potential impact on availability warrants immediate attention.

Generated by OpenCVE AI on July 1, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jackson Databind to version 2.14.0 or newer.
  • If a library upgrade is not immediately feasible, validate or limit the depth of incoming JSON prior to calling readTree() or toString().
  • Monitor resource utilization and consider rate limiting for endpoints that process user‑supplied JSON to mitigate repeated abuse.

Generated by OpenCVE AI on July 1, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3wrr-7qpf-2prh jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Fasterxml
Fasterxml jackson-databind
Vendors & Products Fasterxml
Fasterxml jackson-databind

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
Title jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Fasterxml Jackson-databind
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:52:47.982Z

Reserved: 2026-06-03T22:05:13.645Z

Link: CVE-2026-50193

cve-icon Vulnrichment

Updated: 2026-06-24T18:52:36.872Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T21:00:20Z

Links: CVE-2026-50193 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T12:45:16Z

Weaknesses
  • CWE-1050

    Excessive Platform Resource Consumption within a Loop

  • CWE-400

    Uncontrolled Resource Consumption