CVE-2025-52999: jackson-core Deep Nesting Stack Overflow Denial of Service Vulnerability

CVE-2025-52999 identifies a stack-based buffer overflow vulnerability in jackson-core JSON parsing library that enables attackers to cause denial of service conditions by exploiting unbounded recursion through maliciously crafted deeply nested JSON data structures that exhaust call stack memory. This vulnerability affects jackson-core versions prior to 2.15.0, achieving a CVSS score of 8.7 (High severity) with EPSS percentile of 20.1 indicating significant exploit risk for Java applications utilizing Jackson Data Processor for JSON parsing operations in web services, APIs, and data processing systems that handle untrusted input. The vulnerability details reveal that insufficient nesting depth validation in JSON parser implementations allows attackers to craft JSON input with extremely large numbers of nested objects or arrays that trigger recursive JsonReadContext creation without bounds checking, creating substantial exploit risk for enterprise Java applications, microservices architectures, and JSON-based APIs that process user-supplied or external JSON data without proper input validation and resource consumption controls. The root cause analysis reveals that the vulnerability stems from missing depth validation in JSON parser methods where unlimited recursive JsonReadContext creation during nested structure processing enables stack exhaustion attacks, classified as CWE-121 (Stack-based Buffer Overflow). The vulnerability specifically affects various parser implementations including ReaderBasedJsonParser and UTF8StreamJsonParser where nextToken and _nextAfterName methods create new contexts for each nesting level without verifying maximum depth limits, enabling attackers to exploit known exploited vulnerabilities targeting parser recursion mechanisms to trigger StackOverflowError exceptions and application crashes. Mitigation steps require upgrading to jackson-core version 2.15.0 or later which implements configurable maxNestingDepth constraints defaulting to 1000 levels, utilizing new createChildArrayContext and createChildObjectContext helper methods with validateNestingDepth checks that throw StreamConstraintsException when limits are exceeded. Organizations should prioritize identifying Java applications using vulnerable jackson-core versions for JSON processing, implement strict input validation and size limits for JSON parsing operations, configure appropriate nesting depth limits based on application requirements, monitor resource consumption during JSON processing for potential DoS attack indicators, avoid parsing JSON input from untrusted sources without proper validation, and maintain updated vulnerability database records to track similar parser recursion vulnerabilities that could compromise application availability through stack overflow attacks and broader security implications for data processing systems handling structured input formats with insufficient recursion protection controls.