Vulnerability Identifier

CVE-2025-52999

2025-06-25

Severity Assessment

LOW

CVSS v3.x Score

Clinical Analysis (Description)

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Vector Sequencing

Attack Parameters

Impact Consequences

Technical Impact

Weakness Classification

CWE-CWE-121

View CWE Details ↗

Timeline

Time Line

PUBLICATION

25 Jun 2025

MODIFICATION

26 Jun 2025

FIRST PATCH

21 Apr 2026

Impact Statistics

Key Metrics

CVSS Score

LOW

Patches

Available

Remediation Protocol

Immediate Action Plan

1. Inventory

Identify all affected systems in your infrastructure.

2. Assessment

Assess exposure and criticality for your organization.

3. Mitigation

Apply patches or available workarounds.

4. Verification

Test and confirm effectiveness of applied measures.

Sources & Bibliography

NIST NVD MITRE CVE External Reference ↗ External Reference ↗

CVE Vulnerabilities

Posts & Pages