{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29062", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.245Z", "datePublished": "2026-03-06T07:14:25.059Z", "dateUpdated": "2026-03-09T20:02:33.039Z"}, "containers": {"cna": {"title": "jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r"}, {"name": "https://github.com/FasterXML/jackson-core/pull/1554", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-core/pull/1554"}, {"name": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902", "tags": ["x_refsource_MISC"], "url": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902"}], "affected": [{"vendor": "FasterXML", "product": "jackson-core", "versions": [{"version": ">= 3.0.0, < 3.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T07:14:25.059Z"}, "descriptions": [{"lang": "en", "value": "jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0."}], "source": {"advisory": "GHSA-6v53-7c9g-w56r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T20:02:22.373094Z", "id": "CVE-2026-29062", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:02:33.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:02:22.373094Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:02:28.930Z"}}], "cna": {"title": "jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion", "source": {"advisory": "GHSA-6v53-7c9g-w56r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "FasterXML", "product": "jackson-core", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.1.0"}]}], "references": [{"url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r", "name": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FasterXML/jackson-core/pull/1554", "name": "https://github.com/FasterXML/jackson-core/pull/1554", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902", "name": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T07:14:25.059Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29062", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:02:33.039Z", "dateReserved": "2026-03-03T17:50:11.245Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T07:14:25.059Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fasterxml:jackson-core:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA6DD668-601D-4399-88DE-4D0F34EA9206", "versionEndExcluding": "3.1.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0."}, {"lang": "es", "value": "jackson-core contiene abstracciones de analizador y generador incrementales ('streaming') de bajo nivel, fundamentales, utilizadas por Jackson Data Processor. Desde la versi\u00f3n 3.0.0 hasta antes de la versi\u00f3n 3.1.0, el UTF8DataInputJsonParser, que se utiliza al analizar desde una fuente java.io.DataInput, omite la restricci\u00f3n maxNestingDepth (predeterminado: 500) definida en StreamReadConstraints. Se encontr\u00f3 un problema similar en ReaderBasedJsonParser. Esto permite a un usuario proporcionar un documento JSON con anidamiento excesivo, lo que puede causar un StackOverflowError cuando se procesa la estructura, llevando a una Denegaci\u00f3n de Servicio (DoS). Este problema ha sido parcheado en la versi\u00f3n 3.1.0."}], "id": "CVE-2026-29062", "lastModified": "2026-03-10T19:05:19.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T08:16:26.603", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/FasterXML/jackson-core/pull/1554"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jackson-core: jackson-core: Denial of Service via excessive JSON nesting", "id": "2445135", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445135"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in jackson-core. A user could exploit this vulnerability by supplying a specially crafted JSON document with excessive nesting. This bypasses a security constraint designed to limit nesting depth, which can cause a system crash (StackOverflowError) when the document is processed. This ultimately leads to a Denial of Service (DoS) for the affected application."], "name": "CVE-2026-29062", "package_state": [{"cpe": "cpe:/a:redhat:certificate_system:10", "fix_state": "Not affected", "package_name": "redhat-pki:10/redhat-pki", "product_name": "Red Hat Certificate System 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "dogtag-pki", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/jackson-core", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "jackson-core", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-06T07:14:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29062\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29062\nhttps://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902\nhttps://github.com/FasterXML/jackson-core/pull/1554\nhttps://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.1.0)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "jackson-core", "source": "cna", "vendor": "FasterXML"}, "product": "jackson", "vendor": "fasterxml"}], "analysis": {"en": {"generated_at": "2026-04-16T11:27:30.884531+00:00", "value": {"mitigation_remediation": ["Upgrade jackson-core to version 3.1.0 or newer.", "If an immediate upgrade is not possible, configure a stricter maxNestingDepth in StreamReadConstraints or validate JSON structure before parsing to limit nesting.", "Audit all transitive dependencies that bring in jackson-core and ensure they are updated to a patched version.", "Add monitoring for stack overflow exceptions and rapid restarts; alert on repeated occurrences.", "Where feasible, isolate vulnerable services behind network segmentation or firewall rules to limit exposure to untrusted input."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "FasterXML\u2019s jackson-core library, versions 3.0.0 through 3.0.x (any patch release prior to 3.1.0), is affected. The issue was resolved in release 3.1.0, so any deployment using a pre\u20113.1.0 jar is vulnerable. Applications that embed jackson-core directly or via dependency chains may be impacted.", "description_and_impact": "This vulnerability occurs when the UTF8DataInputJsonParser component in jackson-core bypasses the configured maximum nesting depth (default 500). An attacker can supply a JSON document with arbitrarily deep nesting, causing the parser to recurse until a StackOverflowError occurs. The resulting exception can crash the application, leading to a denial of service. The underlying weakness matches the CWE identifiers for resource exhaustion and out\u2011of\u2011bounds logic.", "risk_and_exploitability": "The CVSS base score of 8.7 classifies this as a high\u2011severity weakness. The EPSS indicates a probability of exploitation below 1\u202f%, suggesting that while the flaw is unlikely to be commonly exploited, it remains a serious risk in targeted or high\u2011value scenarios. The vulnerability is not listed in the KEV catalog, so no known widespread active exploitation is reported. Based on the description, it is inferred that an attacker can trigger the DoS by sending a deeply nested JSON payload to any component that employs the unpatched parser, typically via exposed web services or file input endpoints."}}}}, "created": "2026-03-06T14:55:28.180071+00:00", "updated": "2026-04-16T11:30:15.909321+00:00", "vendors": ["fasterxml", "fasterxml$PRODUCT$jackson"]}