DoS via deep JSON parsing in jackson-databind 2.13.x (readTree & toString)
CVE-2026-50193 Published on June 23, 2026
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-50193 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-50193
Want to know whenever a new CVE is published for FasterXML Jackson Databind? stack.watch will email you.
