CVE-2025-52999

EUVD-2025-28482

25.06.2025, 17:15

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	8.7 HIGH	NETWORK	LOW	NONE	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
fasterxml	jackson	𝑥 < 2.15.0	CNA

Debian Releases

Debian Product

Codename

jackson-core

bookworm	vulnerable
bullseye	vulnerable
forky	2.14.1-2 fixed
sid	2.14.1-2 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

jackson-core

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	ignored
plucky	ignored
questing	needs-triage
resolute	needs-triage
xenial	needs-triage

Red Hat Enterprise Linux Releases

Red Hat Product

Release

pki-jackson-annotations

RHEL 9

0:2.19.1-1.el9_6

fixed

pki-jackson-core

RHEL 9

0:2.19.1-1.el9_6

fixed

pki-jackson-databind

RHEL 9

0:2.19.1-1.el9_6

fixed

pki-jackson-jaxrs-json-provider

RHEL 9

0:2.19.1-1.el9_6

fixed

pki-jackson-jaxrs-providers

RHEL 9

0:2.19.1-1.el9_6

fixed

pki-jackson-module-jaxb-annotations

RHEL 9

0:2.19.1-1.el9_6

fixed

Common Weakness Enumeration

CWE-121 - Stack-based Buffer Overflow
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Vulnerability Media Exposure

[GERMAN] Atlassian Produkte (Bamboo, Bitbucket, Confluence, Crucible, Fisheye und Jira): Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence, Atlassian Crucible, Atlassian Fisheye und Atlassian Jira ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um einen Cross-Site Scripting Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.
Published: 2026-05-19T22:00:00+00:00

References

https://github.com/FasterXML/jackson-core/pull/943

https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3