jackson-core <=2.14 StackOverflow on deep nesting – fixed in 2.15
CVE-2025-52999 Published on June 25, 2025
jackson-core Has Potential for StackoverflowError if user parses an input file that contains very deeply nested data
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Weakness Type
What is a Stack Overflow Vulnerability?
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CVE-2025-52999 has been classified to as a Stack Overflow vulnerability or weakness.
Products Associated with CVE-2025-52999
Want to know whenever a new CVE is published for Oracle? stack.watch will email you.
Affected Versions
FasterXML jackson-core Version < 2.15.0 is affected by CVE-2025-52999Vulnerable Packages
The following package name and versions may be associated with CVE-2025-52999
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | tools.jackson.core:jackson-core | >= 3.0.0, < 3.1.0 | 3.1.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.