CVE-2026-29062
ADVISORY - githubSummary
Summary
The UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints.
A similar issue was found in ReaderBasedJsonParser.
This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS).
The related fix for com.fasterxml.jackson.core:jackson-core, CVE-2025-52999, was not fully applied to tools.jackson.core:jackson-core until the 3.1.0 release. It is recommended that 3.0.x users upgrade.
Patches
jackson-core contains a configurable limit for how deep Jackson will traverse in an input document. This check was missing in a few places in tools.jackson.core:jackson-core.
The change is in https://github.com/FasterXML/jackson-core/pull/1554. jackson-core will throw a StreamConstraintsException if the limit is reached.
jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.
Workarounds
Users should avoid parsing input files from untrusted sources.
Resources
GHSA-6v53-7c9g-w56r https://nvd.nist.gov/vuln/detail/CVE-2025-52999 https://github.com/FasterXML/jackson-core/pull/1554
Common Weakness Enumeration (CWE)
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling
Improper Validation of Specified Quantity in Input
NIST
-
CVSS SCORE
8.7highGitHub
-
CVSS SCORE
8.7highDebian
-
CVSS SCORE
N/AlowUbuntu
-
CVSS SCORE
N/AmediumRed Hat
3.9