CVE-2026-50193

UNKNOWN 0.0

jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.

CWE	CWE-400
Vendor	fasterxml
Product	jackson-databind
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for fasterxml jackson-databind

Be the first to know when new unknown vulnerabilities affecting fasterxml jackson-databind are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FasterXML / jackson-databind

>= 2.10.0, < 2.14.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3wrr-7qpf-2prh github.com: https://github.com/FasterXML/jackson-databind/issues/3447 github.com: https://github.com/FasterXML/jackson-databind/commit/a1fa4ae4ecf5cee16da465985f135f3e81816f8c