{"id":"CVE-2025-52999","summary":"jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data","details":"jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.","aliases":["GHSA-h46c-h94j-95f3"],"modified":"2026-03-20T12:44:10.313355Z","published":"2025-06-25T17:02:57.428Z","related":["ALSA-2025:12280","ALSA-2025:14126","CGA-9pcx-w2wh-fhx8"],"database_specific":{"cwe_ids":["CWE-121"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52999.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52999.json"},{"type":"ADVISORY","url":"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52999"},{"type":"FIX","url":"https://github.com/FasterXML/jackson-core/pull/943"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fasterxml/jackson-core","events":[{"introduced":"0"},{"fixed":"a2c0bdcfb9aae8fca555240e63e57c1d9e6f8079"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.15.0"}]}}],"versions":["jackson-core-2.0.0","jackson-core-2.0.1","jackson-core-2.0.2","jackson-core-2.10.0","jackson-core-2.10.0.pr1","jackson-core-2.10.0.pr2","jackson-core-2.10.0.pr3","jackson-core-2.10.1","jackson-core-2.10.2","jackson-core-2.10.3","jackson-core-2.10.4","jackson-core-2.10.5","jackson-core-2.11.0","jackson-core-2.11.0.rc1","jackson-core-2.11.1","jackson-core-2.11.2","jackson-core-2.11.3","jackson-core-2.11.4","jackson-core-2.12.0","jackson-core-2.12.0-rc1","jackson-core-2.12.0-rc2","jackson-core-2.12.1","jackson-core-2.12.2","jackson-core-2.12.3","jackson-core-2.12.4","jackson-core-2.12.5","jackson-core-2.12.6","jackson-core-2.12.7","jackson-core-2.13.0","jackson-core-2.13.0-rc1","jackson-core-2.13.0-rc2","jackson-core-2.13.1","jackson-core-2.13.2","jackson-core-2.13.3","jackson-core-2.13.4","jackson-core-2.13.5","jackson-core-2.14.0","jackson-core-2.14.0-rc1","jackson-core-2.14.0-rc2","jackson-core-2.14.0-rc3","jackson-core-2.14.1","jackson-core-2.14.2","jackson-core-2.15.0-rc1","jackson-core-2.15.0-rc2","jackson-core-2.15.0-rc3","jackson-core-2.2.0-rc1","jackson-core-2.2.0b","jackson-core-2.2.1","jackson-core-2.2.2","jackson-core-2.3.0","jackson-core-2.3.0-rc1","jackson-core-2.4.0","jackson-core-2.4.0-rc1","jackson-core-2.4.0-rc2","jackson-core-2.4.0-rc3","jackson-core-2.4.1","jackson-core-2.4.1.1","jackson-core-2.4.2","jackson-core-2.4.3","jackson-core-2.4.4","jackson-core-2.4.5","jackson-core-2.5.0","jackson-core-2.5.0-rc1","jackson-core-2.5.1","jackson-core-2.5.2","jackson-core-2.5.3","jackson-core-2.5.4","jackson-core-2.5.5","jackson-core-2.6.0","jackson-core-2.6.0-rc1","jackson-core-2.6.0-rc2","jackson-core-2.6.0-rc3","jackson-core-2.6.0-rc4","jackson-core-2.6.1","jackson-core-2.6.2","jackson-core-2.6.3","jackson-core-2.6.4","jackson-core-2.6.5","jackson-core-2.6.6","jackson-core-2.7.0","jackson-core-2.7.0-rc1","jackson-core-2.7.0-rc2","jackson-core-2.7.0-rc3","jackson-core-2.7.1","jackson-core-2.7.2","jackson-core-2.7.3","jackson-core-2.7.3b","jackson-core-2.7.4","jackson-core-2.7.5","jackson-core-2.7.6","jackson-core-2.7.7","jackson-core-2.7.8","jackson-core-2.7.9","jackson-core-2.8.0","jackson-core-2.8.1","jackson-core-2.8.10","jackson-core-2.8.11","jackson-core-2.8.2","jackson-core-2.8.3","jackson-core-2.8.4","jackson-core-2.8.5","jackson-core-2.8.6","jackson-core-2.8.7","jackson-core-2.8.8","jackson-core-2.8.9","jackson-core-2.9.0","jackson-core-2.9.0.pr1","jackson-core-2.9.0.pr2","jackson-core-2.9.0.pr3","jackson-core-2.9.0.pr4","jackson-core-2.9.1","jackson-core-2.9.10","jackson-core-2.9.2","jackson-core-2.9.3","jackson-core-2.9.4","jackson-core-2.9.5","jackson-core-2.9.6","jackson-core-2.9.7","jackson-core-2.9.8","jackson-core-2.9.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-52999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}