8.7

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-52999

GHSA ID

GHSA-h46c-h94j-95f3

EPSS Score

0.20096%

CWE

CWE-121

Published

6/27/2025

Updated

6/27/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52999

CVE-2025-52999: jackson-core Deep Nesting Stack Overflow Denial of Service Vulnerability

CVE-2025-52999 identifies a stack-based buffer overflow vulnerability in jackson-core JSON parsing library that enables attackers to cause denial of service conditions by exploiting unbounded recursion through maliciously crafted deeply nested JSON data structures that exhaust call stack memory. This vulnerability affects jackson-core versions prior to 2.15.0, achieving a CVSS score of 8.7 (High severity) with EPSS percentile of 20.1 indicating significant exploit risk for Java applications utilizing Jackson Data Processor for JSON parsing operations in web services, APIs, and data processing systems that handle untrusted input. The vulnerability details reveal that insufficient nesting depth validation in JSON parser implementations allows attackers to craft JSON input with extremely large numbers of nested objects or arrays that trigger recursive JsonReadContext creation without bounds checking, creating substantial exploit risk for enterprise Java applications, microservices architectures, and JSON-based APIs that process user-supplied or external JSON data without proper input validation and resource consumption controls. The root cause analysis reveals that the vulnerability stems from missing depth validation in JSON parser methods where unlimited recursive JsonReadContext creation during nested structure processing enables stack exhaustion attacks, classified as CWE-121 (Stack-based Buffer Overflow). The vulnerability specifically affects various parser implementations including ReaderBasedJsonParser and UTF8StreamJsonParser where nextToken and _nextAfterName methods create new contexts for each nesting level without verifying maximum depth limits, enabling attackers to exploit known exploited vulnerabilities targeting parser recursion mechanisms to trigger StackOverflowError exceptions and application crashes. Mitigation steps require upgrading to jackson-core version 2.15.0 or later which implements configurable maxNestingDepth constraints defaulting to 1000 levels, utilizing new createChildArrayContext and createChildObjectContext helper methods with validateNestingDepth checks that throw StreamConstraintsException when limits are exceeded. Organizations should prioritize identifying Java applications using vulnerable jackson-core versions for JSON processing, implement strict input validation and size limits for JSON parsing operations, configure appropriate nesting depth limits based on application requirements, monitor resource consumption during JSON processing for potential DoS attack indicators, avoid parsing JSON input from untrusted sources without proper validation, and maintain updated vulnerability database records to track similar parser recursion vulnerabilities that could compromise application availability through stack overflow attacks and broader security implications for data processing systems handling structured input formats with insufficient recursion protection controls.

(GitHub Advisory)

8.7

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-52999

GHSA ID

GHSA-h46c-h94j-95f3

EPSS Score

0.20096%

CWE

CWE-121

Published

6/27/2025

Updated

6/27/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.fasterxml.jackson.core:jackson-core	maven	< 2.15.0	2.15.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic stack-based buffer overflow, specifically a StackOverflowError in Java, caused by unbounded recursion. This occurs in various JSON parser implementations within the jackson-core library. The root cause is the lack of a depth check before creating a new JsonReadContext when the parser encounters the start of a nested JSON object ({) or array ([).

An attacker can craft a JSON input with an extremely large number of nested structures. When any of the jackson parsers (e.g., ReaderBasedJsonParser, UTF8StreamJsonParser) process this input, they recursively call methods to handle the nested content. Each level of nesting creates a new JsonReadContext object on the call stack. Without a limit, this chain of object creation continues until the stack space is exhausted, throwing a StackOverflowError and causing the application to crash, resulting in a denial of service.

The patch addresses this by introducing a configurable maxNestingDepth constraint. It adds new helper methods, createChildArrayContext and createChildObjectContext, in the base parser class ParserBase. These methods are now responsible for creating new contexts and, crucially, they first call validateNestingDepth to ensure the limit is not exceeded. The vulnerable functions identified are the various parser methods (nextToken, _nextAfterName, etc.) that were modified to use these new, safe helper methods instead of creating contexts directly. Any of these functions would appear in a stack trace during the exploitation of this vulnerability.

Vulnerable functions

com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken

src/main/java/com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java

This function is a core component of the JSON parsing process. When it encounters a character indicating the start of a new array ('[') or object ('{'), it creates a new parsing context. Prior to the patch, this action was performed without validating the current nesting depth. This allowed a malicious actor to supply a deeply nested JSON document, which would trigger unbounded recursion in context creation, leading to a `StackOverflowError` and a denial of service. The patch mitigates this by delegating the context creation to a new method in `ParserBase` that enforces a configurable depth limit.

com.fasterxml.jackson.core.json.UTF8StreamJsonParser._nextTokenNotInObject

src/main/java/com/fasterxml/jackson/core/json/UTF8StreamJsonParser.java

This function is responsible for parsing the next token from a UTF-8 stream when the parser is not inside a JSON object. Similar to other parsers, when it detects the start of an array or object, it creates a new context. The vulnerability lies in the fact that this creation was not guarded by a depth check, making it susceptible to a `StackOverflowError` when processing overly nested input. The fix involves calling a new helper method that validates the nesting depth.

com.fasterxml.jackson.core.json.UTF8DataInputJsonParser._nextTokenNotInObject

src/main/java/com/fasterxml/jackson/core/json/UTF8DataInputJsonParser.java

This function parses the next token from a `DataInput` source. It was vulnerable because it created new parsing contexts for arrays and objects without checking the nesting depth, which could be exploited to cause a `StackOverflowError` with a specially crafted input.

com.fasterxml.jackson.core.json.async.NonBlockingJsonParserBase._startArrayScope

src/main/java/com/fasterxml/jackson/core/json/async/NonBlockingJsonParserBase.java

This function is part of the asynchronous, non-blocking parser implementation. It is responsible for creating a new context when an array starts. The original code did not have a depth limit, making the asynchronous parser also vulnerable to the `StackOverflowError` denial of service attack.

com.fasterxml.jackson.core.json.async.NonBlockingJsonParserBase._startObjectScope

src/main/java/com/fasterxml/jackson/core/json/async/NonBlockingJsonParserBase.java

This function is the object-equivalent of `_startArrayScope` in the asynchronous parser. It creates a new context for a JSON object and was similarly vulnerable due to the lack of a nesting depth check, contributing to the overall `StackOverflowError` vulnerability.

WAF Protection Rules

WAF Rule

### Imp**t Wit* ol**r v*rsions o* j**kson-*or*, i* you p*rs* *n input *il* *n* it **s ***ply n*st** **t*, J**kson *oul* *n* up t*rowin* * St**kov*r*low*rror i* t** **pt* is p*rti*ul*rly l*r**. ### P*t***s j**kson-*or* *.**.* *ont*ins * *on*i*ur**l*

Reasoning

T** vuln*r**ility is * *l*ssi* st**k-**s** *u***r ov*r*low, sp**i*i**lly * `St**kOv*r*low*rror` in J*v*, **us** *y un*oun*** r**ursion. T*is o**urs in v*rious JSON p*rs*r impl*m*nt*tions wit*in t** `j**kson-*or*` li*r*ry. T** root **us* is t** l**k o

8.7

Basic Information

Concerned about an active attack path?

CVE-2025-52999: jackson-core Deep Nesting Stack Overflow Denial of Service Vulnerability

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI