CVE-2026-29062
jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
| CWE | CWE-770 |
| Vendor | fasterxml |
| Product | jackson-core |
| Published | Mar 6, 2026 |
| Last Updated | Mar 9, 2026 |
Get instant alerts for fasterxml jackson-core
Be the first to know when new unknown vulnerabilities affecting fasterxml jackson-core are published โ delivered to Slack, Telegram or Discord.