CVE-2025-52999 Overview
jackson-core, the core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor, is vulnerable to a Stack Overflow condition when processing deeply nested JSON input. In versions prior to 2.15.0, parsing an input file with particularly deep nesting levels could cause Jackson to throw a StackOverflowError, leading to denial of service.
Critical Impact
Applications using vulnerable versions of jackson-core or jackson-databind can be crashed by attackers submitting maliciously crafted JSON payloads with excessive nesting depth, causing service disruption.
Affected Products
- jackson-core versions prior to 2.15.0
- jackson-databind versions prior to 2.15.0 (uses jackson-core for JSON parsing)
- Applications and services that parse untrusted JSON input using affected Jackson libraries
Discovery Timeline
- 2025-06-25 - CVE-2025-52999 published to NVD
- 2025-06-26 - Last updated in NVD database
Technical Details for CVE-2025-52999
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), manifesting as a stack exhaustion condition rather than a traditional memory corruption issue. The root problem lies in how Jackson's streaming parser handles recursive descent through nested JSON structures. When parsing deeply nested arrays or objects, the parser uses recursive function calls that consume stack space for each level of nesting.
The vulnerability is exploitable over the network without authentication or user interaction, making it accessible to remote attackers who can submit JSON payloads to vulnerable endpoints. The impact is limited to availability—there is no confidentiality or integrity breach—but the ability to crash applications can be significant for critical services.
Root Cause
The vulnerability stems from the absence of configurable depth limits in jackson-core versions prior to 2.15.0. The JSON parser recursively processes nested structures without tracking or limiting the recursion depth. When an attacker provides a JSON document with thousands of nested levels (e.g., [[[[...]]]]), the Java Virtual Machine's call stack becomes exhausted, resulting in an unrecoverable StackOverflowError.
Attack Vector
Exploitation requires an attacker to submit a maliciously crafted JSON payload to an application endpoint that uses jackson-core or jackson-databind for parsing. The attack payload consists of deeply nested JSON structures designed to exceed the JVM's stack capacity. Since many Java web applications and REST APIs use Jackson for JSON processing, the attack surface is substantial.
The attack is straightforward: an attacker identifies an endpoint that accepts JSON input, crafts a payload with excessive nesting (typically several thousand levels), and submits it. The application attempts to parse the malicious input, exhausts its stack, and crashes. No special privileges or authentication are required if the target endpoint is publicly accessible.
Detection Methods for CVE-2025-52999
Indicators of Compromise
- Application crashes with StackOverflowError in Jackson parser stack traces
- HTTP requests containing unusually large JSON payloads with repetitive nesting patterns
- Error logs showing recursive parser failures in com.fasterxml.jackson.core packages
- Sudden service unavailability following JSON parsing operations
Detection Strategies
- Monitor application logs for StackOverflowError exceptions originating from Jackson parsing classes
- Implement request size and payload depth validation at the API gateway or load balancer level
- Deploy runtime application self-protection (RASP) solutions that can detect recursive exhaustion patterns
- Use dependency scanning tools to identify jackson-core versions prior to 2.15.0 in your software inventory
Monitoring Recommendations
- Configure alerting for unusual patterns of application restarts or out-of-memory conditions
- Monitor HTTP request payload characteristics for anomalous nesting depth or size
- Track Jackson-related exceptions in centralized logging systems
- Implement health check monitoring to detect service crashes quickly
How to Mitigate CVE-2025-52999
Immediate Actions Required
- Upgrade jackson-core and jackson-databind to version 2.15.0 or later
- Review all applications in your environment that use Jackson libraries and prioritize patching
- Implement input validation to reject JSON payloads with excessive nesting depth at the application or gateway level
- If immediate patching is not possible, avoid parsing JSON input from untrusted sources
Patch Information
The fix is included in jackson-core version 2.15.0, which introduces a configurable limit for parsing depth. By default, Jackson now allows a maximum depth of 1000 levels. When this limit is exceeded, jackson-core throws a StreamConstraintsException instead of causing a stack overflow. Both jackson-core and jackson-databind benefit from this change.
For additional technical details, refer to the GitHub Pull Request for Jackson and the GitHub Security Advisory GHSA-h46c-h94j-95f3.
Workarounds
- Avoid parsing JSON input from untrusted or unauthenticated sources until patching is complete
- Implement pre-parsing validation at the network edge to detect and reject deeply nested JSON structures
- Configure web application firewalls (WAF) to limit request body size and detect malicious JSON patterns
- Consider increasing JVM stack size temporarily as a partial mitigation, though this only raises the exploitation threshold
# Example: Configure JVM with increased stack size (partial mitigation only)
java -Xss2m -jar your-application.jar
# Recommended: Upgrade Jackson dependencies in Maven pom.xml
# Update to jackson-core 2.15.0 or later
# <dependency>
# <groupId>com.fasterxml.jackson.core</groupId>
# <artifactId>jackson-core</artifactId>
# <version>2.15.0</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
