CVE-2026-50193

Impact

Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:

1. Reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree())
2. Writes out same (or modifided) node using JsonNode.toString()

which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).

Patches

Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.

Workarounds

Avoid serializing JsonNode using toString(): use ObjectMapper.writeValueAsString(node)