Stack Overflow Error in Jackson Data Processor's Core Library
CVE-2025-52999

8.7HIGH

Key Information:

Vendor: Fasterxml
Status: Jackson-core
Vendor: CVE Published:; 25 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-52999?

The jackson-core library, utilized by the Jackson Data Processor, has a vulnerability related to the handling of deeply nested data structures. In versions before 2.15.0, parsing an input file with excessive nesting can lead to a StackOverflowError, disrupting application functionality. The updated version introduces a configurable depth limit, set by default to 1000 levels. If this limit is exceeded, a StreamConstraintsException will be thrown, preventing application crashes. Users are advised to avoid parsing untrusted input files as a precautionary measure.

Affected Version(s)

jackson-core < 2.15.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

jackson
Created by sassoftware

References

https://github.com/FasterXML/jackson-core/security/adviso...

x_refsource_CONFIRM

https://github.com/FasterXML/jackson-core/pull/943

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 24, 2026
👾
Exploit known to exist
Feb 24, 2026
Vulnerability published
Jun 25, 2025
Vulnerability Reserved
Jun 24, 2025

CVE-2025-52999 Data

JSON

Fasterxml

Badges

What is CVE-2025-52999?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline