jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jackson-core 3.0.0–3.0.x fails to enforce nesting depth limit in UTF8DataInputJsonParser and ReaderBasedJsonParser, enabling deep JSON to cause StackOverflowError DoS.
Vulnerability
Overview
CVE-2026-29062 affects jackson-core versions 3.0.0 up to (but not including) 3.1.0. The UTF8DataInputJsonParser, used when parsing from a java.io.DataInput source, and the ReaderBasedJsonParser both bypass the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints [1][2]. This oversight allows a JSON document with excessive nesting to trigger a StackOverflowError during parsing, leading to a denial of service (DoS).
Exploitation
An attacker can exploit this by providing a deeply nested JSON payload to an application that uses the affected parser implementations. No special privileges are required if the application parses untrusted input. The attack surface includes any service that accepts JSON from external sources and uses jackson-core 3.x with DataInput or Reader-based parsing paths [2].
Impact
Successful exploitation results in a StackOverflowError, which typically terminates the parsing thread or crashes the JVM, causing a denial of service. This can disrupt availability of the affected service. A similar issue was previously addressed in jackson-core 2.x (CVE-2025-52999) by introducing configurable depth limits [3], but the 3.x branch introduced a regression in the specific parser implementations.
Mitigation
The vulnerability has been patched in jackson-core version 3.1.0 [1]. Users are strongly advised to upgrade to 3.1.0 or later. As a workaround, applications should avoid parsing JSON from untrusted sources or ensure that input is validated for excessive nesting before processing.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tools.jackson.core:jackson-coreMaven | >= 3.0.0, < 3.1.0 | 3.1.0 |
Affected products
2- Range: >=3.0.0 <3.1.0
- FasterXML/jackson-corev5Range: >= 3.0.0, < 3.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-6v53-7c9g-w56rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-52999ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29062ghsaADVISORY
- github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902ghsax_refsource_MISCWEB
- github.com/FasterXML/jackson-core/pull/1554ghsax_refsource_MISCWEB
- github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56rghsax_refsource_CONFIRMWEB
- github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3ghsaWEB
News mentions
0No linked articles in our index yet.