Medium severityNVD Advisory· Published Jun 23, 2026
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
CVE-2026-50193
Description
Impact
Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:
- Reads deeply nested (1000s of levels) JSON as
JsonNode(ObjectMapper.readTree()) - Writes out same (or modifided) node using
JsonNode.toString()
which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).
Patches
Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.
Workarounds
Avoid serializing JsonNode using toString(): use ObjectMapper.writeValueAsString(node)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.fasterxml.jackson.core:jackson-databindMaven | >= 2.10.0, < 2.14.0 | 2.14.0 |
Affected products
2- Range: <2.14.0
Patches
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.