By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-52999

Denial of Service
Affects
Jackson Core
in
Jackson
No items found.
Versions
<2.15.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Jackson Core is the foundational package of the Jackson project that provides low-level, incremental (“streaming”) parser and generator abstractions used by the Jackson Data Processor. While it includes default implementations for handling JSON, the core abstractions themselves are not JSON-specific, even though many names reference JSON for historical reasons. This package serves as the base for the Jackson data-binding module and is also extended by alternate data format implementations such as Smile (binary JSON), XML, CSV, Protobuf, and CBOR.

A Denial of Service (DoS) vulnerability (CVE-2025-52999) has been identified in Jackson Core. Deeply nested data can lead to Stack Overflow Error during processing. This issue could be exploited by attackers to crash applications relying on Jackson Core, resulting in service disruption.

Per CISA: A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network. A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible.

Details

Module Info

Vulnerability Info

Jackson Core contained a vulnerability where extremely deep nesting in input documents could cause the parser to exhaust the Java stack and throw a StackOverflowError, allowing an attacker to disrupt service by sending specially crafted input. Versions prior to 2.15.0 are affected because they did not enforce a traversal-depth limit. The issue was addressed in jackson-core 2.15.0, which introduces a configurable maximum depth (default 1000) and causes the parser to fail fast with a StreamConstraintsException when that limit is exceeded. Because Jackson Databind relies on Jackson Core for parsing, it also benefits from this fix.

Mitigation

Only recent versions of Jackson Core are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Jackson Core >=2.15.0 and tune the depth limit to match your application’s expected input complexity.
  • Avoid parsing untrusted or unauthenticated input and validate or pre-sanitize inputs for abnormal nesting.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2023-3894
CVE-2023-35116
CVE-2025-52999
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-52999
PROJECT Affected
Jackson Core
Versions Affected
<2.15.0
Published date
October 13, 2025
≈ Fix date
September 29, 2025
Fixed in
NES for Jackson
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Jackson
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.