CVE-2026-29062

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902	Patch
https://github.com/FasterXML/jackson-core/pull/1554	Issue Tracking Patch
https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fasterxml:jackson-core:*:*:*:*:*:*:*:*

History

10 Mar 2026, 19:05

Type	Values Removed	Values Added
Summary		(es) jackson-core contiene abstracciones de analizador y generador incrementales ('streaming') de bajo nivel, fundamentales, utilizadas por Jackson Data Processor. Desde la versión 3.0.0 hasta antes de la versión 3.1.0, el UTF8DataInputJsonParser, que se utiliza al analizar desde una fuente java.io.DataInput, omite la restricción maxNestingDepth (predeterminado: 500) definida en StreamReadConstraints. Se encontró un problema similar en ReaderBasedJsonParser. Esto permite a un usuario proporcionar un documento JSON con anidamiento excesivo, lo que puede causar un StackOverflowError cuando se procesa la estructura, llevando a una Denegación de Servicio (DoS). Este problema ha sido parcheado en la versión 3.1.0.
CPE		cpe:2.3:a:fasterxml:jackson-core::::::::
First Time		Fasterxml Fasterxml jackson-core
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902 -~~	() https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902 - Patch
References	~~() https://github.com/FasterXML/jackson-core/pull/1554 -~~	() https://github.com/FasterXML/jackson-core/pull/1554 - Issue Tracking, Patch
References	~~() https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r -~~	() https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r - Patch, Vendor Advisory

06 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 08:16

Updated : 2026-03-10 19:05

NVD link : CVE-2026-29062

Mitre link : CVE-2026-29062

CVE.ORG link : CVE-2026-29062

JSON object : View

Products Affected

fasterxml

jackson-core

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10