CVE-2025-52999
LowVulnerability Description
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
CPUJAN2026
Oracle Critical Patch Update Advisory - January 2026
CPUOCT2025
Oracle Critical Patch Update Advisory - October 2025
CVE-2025-52999
CVE-2025-52999
Severity Details
Weakness Type (CWE)
Stack-based Buffer Overflow
- Description
- A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Variant
Key Information
- Published Date
- June 25, 2025
