CVE-2025-52999
Denial of Service (DoS) vulnerability in jackson-core (Maven)
What is CVE-2025-52999 About?
This vulnerability in older versions of jackson-core allows a deeply nested input file to consume excessive memory, leading to a `StackOverflowError` and thus a Denial of Service. The impact can be severe as it crashes the application. Exploitation is relatively easy if an attacker can provide a malicious JSON input.
Affected Software
Technical Details
The vulnerability in older versions of jackson-core stems from its parsing mechanism for deeply nested data within input files. When processing a JSON or other data format input that contains an exceptionally large number of nested objects or arrays, jackson-core would recursively traverse the structure. This recursive parsing without a depth limit could lead to the call stack exhausting its allocated memory, resulting in a StackOverflowError. This error, in turn, would crash the application or service using jackson-core for parsing, effectively causing a Denial of Service (DoS) condition. The absence of a configurable depth limit allowed an attacker to craft a malicious input file with extreme nesting to trigger this condition.
What is the Impact of CVE-2025-52999?
Successful exploitation may allow attackers to crash the application, leading to a denial of service for legitimate users by inducing a StackOverflowError through deeply nested input data.
What is the Exploitability of CVE-2025-52999?
Exploitation of this denial of service vulnerability is relatively straightforward. An attacker needs to provide a malformed or specially crafted input file (e.g., a deeply nested JSON document) to an application using a vulnerable version of jackson-core. No specific authentication is required if the attacker can send data to any endpoint that internally utilizes jackson-core for parsing. The attack is remote if the application accepts external input. The primary prerequisite is that the application uses older jackson-core versions (prior to 2.15.0). While direct attacks are easy, the impact is limited to denial of service, not arbitrary code execution. The risk of exploitation is higher in applications that accept input from untrusted sources without proper validation or sanitization before parsing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-52999?
About the Fix from Resolved Security
The patch introduces StreamReadConstraints to enforce maximum allowed nesting depth when parsing JSON, rejecting inputs that exceed a default depth of 1000. This mitigates the risk of stack exhaustion or denial of service from maliciously deep structures, thereby fixing CVE-2025-52999 by validating and limiting recursion during parsing.
Available Upgrade Options
- com.fasterxml.jackson.core:jackson-core
- <2.15.0 → Upgrade to 2.15.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-h46c-h94j-95f3
- https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3
- https://nvd.nist.gov/vuln/detail/CVE-2025-52999
- https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3
- https://github.com/FasterXML/jackson-core
- https://github.com/FasterXML/jackson-core/pull/943
- https://github.com/FasterXML/jackson-core/pull/943
What are Similar Vulnerabilities to CVE-2025-52999?
Similar Vulnerabilities: CVE-2023-34035 , CVE-2022-45688 , CVE-2021-29425 , CVE-2020-25649 , CVE-2019-10241
