GHSA-3wrr-7qpf-2prhMedium
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
🔗 CVE IDs covered (1)
📋 Description
Impact
Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:
- Reads deeply nested (1000s of levels) JSON as
JsonNode(ObjectMapper.readTree()) - Writes out same (or modifided) node using
JsonNode.toString()
which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).
Patches
Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447.
Workarounds
Avoid serializing JsonNode using toString(): use ObjectMapper.writeValueAsString(node)
🎯 Affected products1
- maven/com.fasterxml.jackson.core:jackson-databind:>= 2.10.0, <= 2.13.5