CVE-2026-50193
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
jackson-databind is the general-purpose data-binding package of the FasterXML Jackson suite. It provides full data-binding (object serialization and deserialization) on top of the Jackson streaming parser/generator (jackson-core) and the Jackson annotations (jackson-annotations), and is one of the most widely used JSON libraries for Java.
A Denial of Service (DoS) vulnerability (CVE-2026-50193) has been identified in jackson-databind, which allows attackers to crash an application by submitting a deeply nested JSON document that is parsed into a tree and then serialized back to text. Serializing such a tree through JsonNode.toString() or toPrettyString() exhausts the JVM call stack and throws a StackOverflowError, terminating the request-handling thread.
Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others.
This issue affects versions 2.10.0 through 2.13.5 of jackson-databind.
Details
Module Info
- Product: jackson-databind
- Affected packages: jackson-databind
- Affected versions: >=2.10.0 <2.14.0
- GitHub repository: https://github.com/FasterXML/jackson-databind
- Published packages: https://central.sonatype.com/artifact/com.fasterxml.jackson.core/jackson-databind
- Package manager: Maven
- Fixed in:
- NES for Jackson 2.13.6
- Jackson Databind 2.14.0 (OSS)
Vulnerability Info
This Medium-severity vulnerability is found in the jackson-databind package in versions 2.10.0 through 2.13.5 of jackson-databind. When untrusted JSON is parsed into a tree (for example with ObjectMapper.readTree()) and that tree is later rendered back to a string, the rendering path is recursive. BaseJsonNode.toString() and toPrettyString() delegate to an internal helper that serializes the node tree one container at a time, with each nested object or array consuming an additional JVM stack frame.
public static String nodeToString(JsonNode n) {
try {
return STD_WRITER.writeValueAsString(n); // each nested container adds a stack frame
} catch (IOException e) {
throw new RuntimeException(e);
}
}
Because the depth of recursion follows the nesting depth of the input, a document with a few thousand levels of nested arrays or objects drives the serializer past the call-stack limit and raises a StackOverflowError. Such a payload is small, roughly two kilobytes for a thousand levels of nesting, so a handful of concurrent requests can repeatedly crash request-handling threads and deny service. The flaw is in the serialization path specifically: a tree that parsed successfully can still throw when it is echoed, logged, or embedded in a response through toString().
This vulnerability was introduced in 2019 with jackson-databind 2.10.
Mitigation
Only recent versions of Jackson are community-supported. The affected 2.10.x through 2.13.x lines are End-of-Life and will not receive public updates to address this issue. There is no publicly available fix for the 2.13.x line; NES for Jackson is the remedy for that line.
Users of the affected components should apply one of the following mitigations:
- Upgrade jackson-databind to a currently supported 2.x release that contains the fix.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Deniz Husaj (finder)
