GHSA-3wrr-7qpf-2prhMedium

jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

Published
June 23, 2026
Last Modified
June 23, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:

  1. Reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree())
  2. Writes out same (or modifided) node using JsonNode.toString()

which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).

Patches

Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.

Workarounds

Avoid serializing JsonNode using toString(): use ObjectMapper.writeValueAsString(node)

🎯 Affected products1

  • maven/com.fasterxml.jackson.core:jackson-databind:>= 2.10.0, <= 2.13.5

🔗 References (4)