High severityOSV Advisory· Published Jun 25, 2025· Updated Apr 15, 2026

CVE-2025-52999

Description

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.fasterxml.jackson.core:jackson-coreMaven	< 2.15.0	2.15.0

Affected products

Fasterxml/Jackson CoreOSV
Range: jackson-core-2.0.0, jackson-core-2.0.1, jackson-core-2.0.2, …

Patches

a2c0bdcfb9aa

https://github.com/fasterxml/jackson-corevia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h46c-h94j-95f3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-52999ghsaADVISORY
github.com/FasterXML/jackson-core/pull/943nvdWEB
github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000