Bug 2374804 (CVE-2025-52999) - CVE-2025-52999 com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError
Summary: CVE-2025-52999 com.fasterxml.jackson.core/jackson-core: jackson-core Potentia...
Keywords:
Status: NEW
Alias: CVE-2025-52999
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2374813 2374814 2374815 2374816 2374817 2374818 2374819 2374820 2374821 2374822 2374823 2374824 2374825 2374826
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-25 18:01 UTC by OSIDB Bzimport
Modified: 2025-06-26 11:58 UTC (History)
163 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-25 18:01:18 UTC 
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Note You need to log in before you can comment on or make changes to this bug.