Home > Vulnerability Database > CVE-2025-52999

Mend.io Vulnerability Database

CVE-2025-52999

Good to know:

Date: June 25, 2025

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Severity Score

3.4

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-52999

Url: https://github.com/FasterXML/jackson-core/pull/943

Url: https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3

Url: https://github.com/FasterXML/jackson-core

Url: https://www.mend.io/vulnerability-database/CVE-2025-52999

Severity Score

3.4

Weakness Type (CWE)

Stack-based Buffer Overflow

CWE-121

Top Fix

Upgrade Version

Upgrade to version com.fasterxml.jackson.core:jackson-core:2.15.0;com.fasterxml.jackson.core:jackson-core:2.15.0;https://github.com/FasterXML/jackson-core.git - jackson-core-2.15.0

Learn More

CVSS v3.1

Base Score:	3.4
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-52999

Good to know:

Date: June 25, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?