CVE-2025-52999
Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-coreMaven | < 2.15.0 | 2.15.0 |
Affected products
82- Range: jackson-core-2.0.0, jackson-core-2.0.1, jackson-core-2.0.2, …
- osv-coords81 versionspkg:apk/chainguard/cassandra-4.0pkg:apk/chainguard/cassandra-4.0-compatpkg:apk/chainguard/cassandra-4.0-iamguarded-compatpkg:apk/chainguard/cassandra-4.1pkg:apk/chainguard/cassandra-4.1-compatpkg:apk/chainguard/cassandra-4.1-iamguarded-compatpkg:apk/chainguard/cassandra-fips-4.0pkg:apk/chainguard/cassandra-fips-4.0-compatpkg:apk/chainguard/cassandra-fips-4.1pkg:apk/chainguard/cassandra-fips-4.1-compatpkg:apk/chainguard/cassandra-fips-5.0pkg:apk/chainguard/cassandra-fips-5.0-compatpkg:apk/chainguard/cassandra-reaperpkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/confluent-common-dockerpkg:apk/chainguard/confluent-common-docker-basepkg:apk/chainguard/confluent-common-docker-ubpkg:apk/chainguard/cqlsh-5.0pkg:apk/chainguard/cqlsh-fips-5.0pkg:apk/chainguard/elasticsearch-7pkg:apk/chainguard/elasticsearch-7-bitnamipkg:apk/chainguard/elasticsearch-7-iamguardedpkg:apk/chainguard/gradle-stage0pkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/localstackpkg:apk/chainguard/scala-3.8pkg:apk/chainguard/spark-4.1pkg:apk/chainguard/tezpkg:apk/wolfi/cassandra-4.1pkg:apk/wolfi/cassandra-4.1-compatpkg:apk/wolfi/cassandra-reaperpkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/confluent-common-dockerpkg:apk/wolfi/confluent-common-docker-basepkg:apk/wolfi/confluent-common-docker-ubpkg:apk/wolfi/cqlsh-5.0pkg:apk/wolfi/gradle-stage0pkg:apk/wolfi/scala-3.8pkg:apk/wolfi/spark-4.1pkg:apk/wolfi/tezpkg:maven/com.fasterxml.jackson.core/jackson-corepkg:rpm/almalinux/apache-commons-collectionspkg:rpm/almalinux/apache-commons-langpkg:rpm/almalinux/apache-commons-netpkg:rpm/almalinux/bea-stax-apipkg:rpm/almalinux/fasterxml-oss-parentpkg:rpm/almalinux/glassfish-fastinfosetpkg:rpm/almalinux/glassfish-jaxb-apipkg:rpm/almalinux/glassfish-jaxb-corepkg:rpm/almalinux/glassfish-jaxb-runtimepkg:rpm/almalinux/glassfish-jaxb-txw2pkg:rpm/almalinux/jackson-annotationspkg:rpm/almalinux/jackson-bompkg:rpm/almalinux/jackson-corepkg:rpm/almalinux/jackson-databindpkg:rpm/almalinux/jackson-jaxrs-json-providerpkg:rpm/almalinux/jackson-jaxrs-providerspkg:rpm/almalinux/jackson-module-jaxb-annotationspkg:rpm/almalinux/jackson-modules-basepkg:rpm/almalinux/jackson-parentpkg:rpm/almalinux/jakarta-commons-httpclientpkg:rpm/almalinux/javassistpkg:rpm/almalinux/javassist-javadocpkg:rpm/almalinux/pki-jackson-annotationspkg:rpm/almalinux/pki-jackson-corepkg:rpm/almalinux/pki-jackson-databindpkg:rpm/almalinux/pki-jackson-jaxrs-json-providerpkg:rpm/almalinux/pki-jackson-jaxrs-providerspkg:rpm/almalinux/pki-jackson-module-jaxb-annotationspkg:rpm/almalinux/pki-servlet-enginepkg:rpm/almalinux/relaxngDatatypepkg:rpm/almalinux/slf4jpkg:rpm/almalinux/slf4j-jdk14pkg:rpm/almalinux/stax-expkg:rpm/almalinux/velocitypkg:rpm/almalinux/xalan-j2pkg:rpm/almalinux/xerces-j2pkg:rpm/almalinux/xml-commons-apispkg:rpm/almalinux/xml-commons-resolverpkg:rpm/almalinux/xmlstreambufferpkg:rpm/almalinux/xsom
< 4.0.18-r1+ 80 more
- (no CPE)range: < 4.0.18-r1
- (no CPE)range: < 4.0.18-r1
- (no CPE)range: < 4.0.18-r1
- (no CPE)range: < 4.1.9-r1
- (no CPE)range: < 4.1.9-r1
- (no CPE)range: < 4.1.9-r1
- (no CPE)range: < 4.0.15-r2
- (no CPE)range: < 4.0.15-r2
- (no CPE)range: < 4.1.7-r2
- (no CPE)range: < 4.1.7-r2
- (no CPE)range: < 5.0.3-r5
- (no CPE)range: < 5.0.3-r5
- (no CPE)range: < 3.8.0-r6
- (no CPE)range: < 0.5.4-r19
- (no CPE)range: < 7.6.0-r16
- (no CPE)range: < 7.6.0-r16
- (no CPE)range: < 7.6.0-r16
- (no CPE)range: < 5.0.3-r5
- (no CPE)range: < 5.0.3-r5
- (no CPE)range: < 7.17.29-r1
- (no CPE)range: < 7.17.29-r1
- (no CPE)range: < 7.17.29-r1
- (no CPE)range: < 8.0.1-r3
- (no CPE)range: < 3.3.6-r8
- (no CPE)range: < 4.14.0-r11
- (no CPE)range: < 3.8.4-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 0.10.5-r9
- (no CPE)range: < 4.1.9-r1
- (no CPE)range: < 4.1.9-r1
- (no CPE)range: < 3.8.0-r6
- (no CPE)range: < 0.5.4-r19
- (no CPE)range: < 7.6.0-r16
- (no CPE)range: < 7.6.0-r16
- (no CPE)range: < 7.6.0-r16
- (no CPE)range: < 5.0.3-r5
- (no CPE)range: < 8.0.1-r3
- (no CPE)range: < 3.8.4-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 0.10.5-r9
- (no CPE)range: < 2.15.0
- (no CPE)range: < 3.2.2-10.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.6-21.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.6-3.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2.0-16.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 69-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 1.2.13-9.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.12-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.2.11-12.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.2.11-12.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.2.11-12.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 2.19.1-1.module_el8.10.0+4034+20822525
- (no CPE)range: < 1:3.1-28.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 3.18.1-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.19.1-1.el9_6
- (no CPE)range: < 2.19.1-1.el9_6
- (no CPE)range: < 2.19.1-1.el9_6
- (no CPE)range: < 2.19.1-1.el9_6
- (no CPE)range: < 2.19.1-1.el9_6
- (no CPE)range: < 2.19.1-1.el9_6
- (no CPE)range: < 1:9.0.62-1.module_el8.10.0+3791+e0637953
- (no CPE)range: < 2011.1-7.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.25-4.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7.7-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.7-24.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.7.1-38.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 2.11.0-34.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.4.01-25.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.2-26.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 1.5.4-8.module_el8.5.0+2577+9e95fe00
- (no CPE)range: < 0-19.20110809svn.module_el8.5.0+2577+9e95fe00
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.