CVE-2025-52999
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-52999
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52999.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-52999
- Aliases
- Downstream
- Related
- Published
- 2025-06-25T17:15:39Z
- Modified
- 2025-08-09T19:01:27Z
- Summary
- [none]
- Details
-
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
- References