CVE-2025-52999

Vulnerability Description

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Related Weaknesses (CWE)

References

• https://github.com/FasterXML/jackson-core/pull/943
• https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f

FAQ

What is CVE-2025-52999?

CVE-2025-52999 is a documented vulnerability. jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has ...

How severe is CVE-2025-52999?

CVSS scoring is not yet available for CVE-2025-52999. Check NVD for updates.

Is there a patch for CVE-2025-52999?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.