Sign In

CVE-2026-50193

ADVISORY - github

Summary

Impact

Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:

  1. Reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree())
  2. Writes out same (or modifided) node using JsonNode.toString()

which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).

Patches

Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.

Workarounds

Avoid serializing JsonNode using toString(): use ObjectMapper.writeValueAsString(node)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-400

Uncontrolled Resource Consumption

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in