Bug#1108367: jackson-core: CVE-2025-52999
Salvatore Bonaccorso
carnil at debian.org
Fri Jun 27 05:07:49 BST 2025
Source: jackson-core
Version: 2.14.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-core/pull/943
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for jackson-core.
CVE-2025-52999[0]:
| jackson-core contains core low-level incremental ("streaming")
| parser and generator abstractions used by Jackson Data Processor. In
| versions prior to 2.15.0, if a user parses an input file and it has
| deeply nested data, Jackson could end up throwing a
| StackoverflowError if the depth is particularly large. jackson-core
| 2.15.0 contains a configurable limit for how deep Jackson will
| traverse in an input document, defaulting to an allowable depth of
| 1000. jackson-core will throw a StreamConstraintsException if the
| limit is reached. jackson-databind also benefits from this change
| because it uses jackson-core to parse JSON inputs. As a workaround,
| users should avoid parsing input files from untrusted sources.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-52999
https://www.cve.org/CVERecord?id=CVE-2025-52999
[1] https://github.com/FasterXML/jackson-core/pull/943
[2] https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list