Bug 2374804 (CVE-2025-52999)
| Summary: | CVE-2025-52999 com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aakkiang, aazores, abrianik, amctagga, anstephe, anthomas, aoconnor, aprice, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, bniver, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, cfu, chfoley, clement.escoffier, cmah, cmiranda, dandread, darran.lofthouse, davidn, dbruscin, dfreiber, dhanak, dkreling, dnakabaa, dosoudil, drosa, drow, dsimansk, dsirrine, eaguilar, ebaron, edewata, ehelms, eric.wittmann, fjuma, flucifre, fmariani, fmongiar, ggainey, ggrzybek, gkimetto, gmalinko, gmeno, gsmet, gtanzill, haoli, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jcantril, jkoehler, jmagne, jmartisk, jmitchel, jneedle, jnethert, jolong, jpechane, jpoth, jrokos, jsamir, jscholz, juwatts, kaycoth, kegrant, kgaikwad, kholdawa, kingland, koliveir, kshier, kvanderr, kverlaen, lcouzens, lgao, lphiri, lthon, mabashia, manderse, matzew, mbenjamin, mfargett, mhackett, mharmsen, mhulan, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nmoumoul, nwallace, oezr, olubyans, osousa, pantinor, parichar, pbizzarr, pbraun, pcongius, pcreech, pdelbell, periklis, pesilva, pgallagh, pjindal, pmackay, prisingh, probinso, rchan, rguimara, rkieley, rkubis, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, shvarugh, simaishi, skhandel, smaestri, smallamp, smcdonal, sostapov, ssilvert, stcannon, sthirugn, sthorger, swoodman, taherrin, tasato, tcunning, teagle, tfister, thavo, tom.jenkinson, tqvarnst, vereddy, vkrizan, vkumar, vmuzikar, yfang, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2374816, 2374819, 2374820, 2374821, 2374822, 2374823, 2374825, 2374826, 2374813, 2374814, 2374815, 2374817, 2374818, 2374824, 2380871, 2380872, 2380873, 2380877, 2380878, 2380879 | ||
| Bug Blocks: | |||
This issue has been addressed in the following products: OCP-Tools-4.18-RHEL-9 Via RHSA-2025:10092 https://access.redhat.com/errata/RHSA-2025:10092 This issue has been addressed in the following products: OCP-Tools-4.17-RHEL-9 Via RHSA-2025:10097 https://access.redhat.com/errata/RHSA-2025:10097 This issue has been addressed in the following products: OCP-Tools-4.16-RHEL-9 Via RHSA-2025:10098 https://access.redhat.com/errata/RHSA-2025:10098 This issue has been addressed in the following products: OCP-Tools-4.15-RHEL-8 Via RHSA-2025:10104 https://access.redhat.com/errata/RHSA-2025:10104 This issue has been addressed in the following products: OCP-Tools-4.13-RHEL-8 Via RHSA-2025:10119 https://access.redhat.com/errata/RHSA-2025:10119 This issue has been addressed in the following products: OCP-Tools-4.12-RHEL-8 Via RHSA-2025:10118 https://access.redhat.com/errata/RHSA-2025:10118 This issue has been addressed in the following products: OCP-Tools-4.14-RHEL-8 Via RHSA-2025:10120 https://access.redhat.com/errata/RHSA-2025:10120 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4.23 Via RHSA-2025:11474 https://access.redhat.com/errata/RHSA-2025:11474 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2025:11473 https://access.redhat.com/errata/RHSA-2025:11473 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:12282 https://access.redhat.com/errata/RHSA-2025:12282 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:12283 https://access.redhat.com/errata/RHSA-2025:12283 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:12281 https://access.redhat.com/errata/RHSA-2025:12281 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:12280 https://access.redhat.com/errata/RHSA-2025:12280 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:14116 https://access.redhat.com/errata/RHSA-2025:14116 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:14117 https://access.redhat.com/errata/RHSA-2025:14117 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:14118 https://access.redhat.com/errata/RHSA-2025:14118 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:14126 https://access.redhat.com/errata/RHSA-2025:14126 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:14127 https://access.redhat.com/errata/RHSA-2025:14127 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6.12 Via RHSA-2025:15717 https://access.redhat.com/errata/RHSA-2025:15717 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7 Via RHSA-2025:11474 https://access.redhat.com/errata/RHSA-2025:11474 |
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.