CVE-2026-29062
ADVISORY - githubSummary
Summary
The UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints.
A similar issue was found in ReaderBasedJsonParser.
This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS).
The related fix for com.fasterxml.jackson.core:jackson-core, CVE-2025-52999, was not fully applied to tools.jackson.core:jackson-core until the 3.1.0 release. It is recommended that 3.0.x users upgrade.
Patches
jackson-core contains a configurable limit for how deep Jackson will traverse in an input document. This check was missing in a few places in tools.jackson.core:jackson-core.
The change is in https://github.com/FasterXML/jackson-core/pull/1554. jackson-core will throw a StreamConstraintsException if the limit is reached.
jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.
Workarounds
Users should avoid parsing input files from untrusted sources.
Resources
GHSA-6v53-7c9g-w56r https://nvd.nist.gov/vuln/detail/CVE-2025-52999 https://github.com/FasterXML/jackson-core/pull/1554
Common Weakness Enumeration (CWE)
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling
Improper Validation of Specified Quantity in Input
NIST
3.9
CVSS SCORE
8.7highGitHub
-
CVSS SCORE
8.7highDebian
-
CVSS SCORE
N/AlowUbuntu
3.9
CVSS SCORE
7.5mediumRed Hat
3.9
CVSS SCORE
7.5highChainguard
CGA-pm9f-r9cc-8qwv
-