-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a classic stack-based buffer overflow, specifically a StackOverflowError in Java, caused by unbounded recursion. This occurs in various JSON parser implementations within the jackson-core library. The root cause is the lack of a depth check before creating a new JsonReadContext when the parser encounters the start of a nested JSON object ({) or array ([).
An attacker can craft a JSON input with an extremely large number of nested structures. When any of the jackson parsers (e.g., ReaderBasedJsonParser, UTF8StreamJsonParser) process this input, they recursively call methods to handle the nested content. Each level of nesting creates a new JsonReadContext object on the call stack. Without a limit, this chain of object creation continues until the stack space is exhausted, throwing a StackOverflowError and causing the application to crash, resulting in a denial of service.
The patch addresses this by introducing a configurable maxNestingDepth constraint. It adds new helper methods, createChildArrayContext and createChildObjectContext, in the base parser class ParserBase. These methods are now responsible for creating new contexts and, crucially, they first call validateNestingDepth to ensure the limit is not exceeded. The vulnerable functions identified are the various parser methods (nextToken, _nextAfterName, etc.) that were modified to use these new, safe helper methods instead of creating contexts directly. Any of these functions would appear in a stack trace during the exploitation of this vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.fasterxml.jackson.core:jackson-core | maven | < 2.15.0 | 2.15.0 |
Access the latest Benchmark Study of WAF Weaknesses and AI Mitigation