← voltar
CVE-2026-50193

jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

CVSS 6.3 MEDIUMEPSS 0.5%CWE-400
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
23 jun 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Produtos afetados
FasterXML · jackson-databind

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/FasterXML/jackson-databind/commit/a1fa4ae4ecf5cee16da465985f135f3e81816f8chttps://github.com/FasterXML/jackson-databind/issues/3447https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-3wrr-7qpf-2prh