CVE-2020-36518 Overview
CVE-2020-36518 is a denial of service vulnerability in FasterXML jackson-databind, a widely-used Java library for JSON data binding. The vulnerability allows attackers to trigger a Java StackOverflow exception by submitting JSON payloads containing deeply nested objects. When the library attempts to deserialize these maliciously crafted inputs, the recursive processing leads to stack exhaustion and application crashes.
This vulnerability affects jackson-databind versions prior to 2.13.0 and has significant downstream impact due to the library's widespread adoption in enterprise Java applications, including numerous Oracle, NetApp, and Debian products.
Critical Impact
Attackers can cause denial of service in applications using vulnerable jackson-databind versions by sending specially crafted JSON with deeply nested object structures, leading to stack overflow exceptions and service disruption.
Affected Products
- FasterXML jackson-databind (versions before 2.13.0)
- Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
- Oracle Coherence (14.1.1.0.0)
- Oracle Communications Cloud Native Core products (various versions)
- Oracle Financial Services products (various versions)
- Oracle Primavera Gateway and P6 Enterprise Project Portfolio Management
- Oracle PeopleSoft Enterprise PeopleTools (8.58, 8.59)
- Debian Linux (9.0, 10.0, 11.0)
- NetApp Active IQ Unified Manager, OnCommand Insight, and related products
Discovery Timeline
- March 11, 2022 - CVE-2020-36518 published to NVD
- August 27, 2025 - Last updated in NVD database
Technical Details for CVE-2020-36518
Vulnerability Analysis
The vulnerability exists in jackson-databind's JSON deserialization mechanism. When processing JSON input, the library uses recursive function calls to traverse and parse nested object structures. The implementation lacks adequate depth checking during deserialization, allowing an attacker to craft JSON payloads with excessive nesting levels that exceed the JVM's stack space allocation.
This vulnerability is classified under CWE-787 (Out-of-bounds Write), though the practical manifestation is a stack overflow condition. The attack can be executed remotely over the network without authentication, making it particularly dangerous for web applications and services that accept JSON input from untrusted sources.
Root Cause
The root cause lies in jackson-databind's recursive parsing approach for nested JSON structures. The library processes nested objects by recursively calling deserialization methods for each level of nesting. Without proper depth limits, extremely deep nesting (potentially thousands of levels) causes the call stack to grow beyond the JVM's allocated stack size, resulting in a StackOverflowError that crashes the thread or application.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker crafts a malicious JSON payload with deeply nested objects and submits it to an application endpoint that deserializes JSON using a vulnerable jackson-databind version.
The attack payload structure follows a pattern of repeated nested objects. When such a payload is processed, the recursive deserialization exhausts stack space. The depth required to trigger the overflow depends on JVM stack configuration but typically ranges from several thousand to tens of thousands of nesting levels.
For technical details on the vulnerability mechanism, see GitHub Issue #2816 in the jackson-databind repository.
Detection Methods for CVE-2020-36518
Indicators of Compromise
- Unexpected java.lang.StackOverflowError exceptions in application logs during JSON processing
- Application crashes or thread terminations correlated with incoming JSON requests containing unusual depth
- Performance degradation or service unavailability following receipt of large or complex JSON payloads
- Log entries showing deep recursion in jackson-databind package methods
Detection Strategies
- Implement application-level monitoring for StackOverflowError exceptions in JSON processing code paths
- Deploy WAF rules to detect and block JSON payloads with excessive nesting depth
- Use static code analysis tools to identify jackson-databind dependencies below version 2.13.0
- Conduct dependency scanning in CI/CD pipelines to flag vulnerable library versions
Monitoring Recommendations
- Configure JVM monitoring to alert on unusual stack usage patterns during request processing
- Set up application performance monitoring (APM) to track JSON deserialization latency anomalies
- Monitor endpoint traffic for unusually large JSON payloads or requests with atypical characteristics
- Implement logging around JSON deserialization entry points to capture payload metadata for forensic analysis
How to Mitigate CVE-2020-36518
Immediate Actions Required
- Upgrade jackson-databind to version 2.13.0 or later, which includes fixes for this vulnerability
- Conduct a full dependency audit to identify all applications using vulnerable jackson-databind versions
- Review and update transitive dependencies that may include vulnerable jackson-databind versions
- Implement input validation to limit JSON payload size and nesting depth at the application perimeter
Patch Information
The vulnerability is fixed in jackson-databind version 2.13.0 and later. Organizations should update their Maven, Gradle, or other dependency management configurations to use the patched version. For downstream products:
- Oracle Products: Security patches available via Oracle CPU April 2022 and Oracle CPU July 2022
- Debian Linux: Security updates available per DSA-5283 and LTS announcements
- NetApp Products: Patches available per NetApp Security Advisory NTAP-20220506-0004
Workarounds
- Implement a JSON filter or interceptor that validates and rejects payloads exceeding a defined nesting depth threshold
- Configure web application firewalls to inspect JSON content and block requests with excessive nesting
- Increase JVM stack size temporarily to raise the threshold for stack exhaustion (note: this is a mitigation, not a fix)
- Use custom ObjectMapper configuration with DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY and streaming APIs for large payloads
# Maven dependency update example
# Update pom.xml to use patched version:
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-databind</artifactId>
# <version>2.13.0</version>
# </dependency>
# Verify jackson-databind version in your project
mvn dependency:tree -Dincludes=com.fasterxml.jackson.core:jackson-databind
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
