CVE-2025-52999
Description
jackson-core contains core low-level incremental (streaming) parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.078
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-52999 are fixed in Jackson - jackson-core 2.15.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 24.0.1 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-52999 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 21.12.21.6 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-52999 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 22.12.21.1 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-52999 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 23.12.18.0 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-48795,CVE-2025-52999 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 24.12.13.0 | Windows |
| Vulnerabilities CVE-2025-26791,CVE-2025-52999 are affected in Oracle Primavera P6 Enterprise Project Portfolio Management 25.12.2.0 | Windows |
| (RHSA-2025:12280)Important: jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update RHSA-2025:12280 pki-jackson-module-jaxb-annotations-2.19.1-1.el9_6.noarch.rpm | Linux |
| (RHSA-2025:12280)Important: jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update RHSA-2025:12280 pki-jackson-jaxrs-providers-2.19.1-1.el9_6.noarch.rpm | Linux |
| (RHSA-2025:12280)Important: jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update RHSA-2025:12280 pki-jackson-jaxrs-json-provider-2.19.1-1.el9_6.noarch.rpm | Linux |
| (RHSA-2025:12280)Important: jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update RHSA-2025:12280 pki-jackson-databind-2.19.1-1.el9_6.noarch.rpm | Linux |
| (RHSA-2025:12280)Important: jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update RHSA-2025:12280 pki-jackson-core-2.19.1-1.el9_6.noarch.rpm | Linux |
| (RHSA-2025:12280)Important: jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update RHSA-2025:12280 pki-jackson-annotations-2.19.1-1.el9_6.noarch.rpm | Linux |
| jackson Security Update (ALAS2-2025-2934) ALAS2-2025-2934 jackson-1.9.4-7.amzn2.0.1.noarch.rpm | Linux |
| jackson Security Update (ALAS2-2025-2934) ALAS2-2025-2934 jackson-javadoc-1.9.4-7.amzn2.0.1.noarch.rpm | Linux |
| Pki-jackson-module-jaxb-annotations update (ELSA-2025-12280) ELSA-2025-12280 pki-jackson-module-jaxb-annotations-2.19.1-1.el9_6.noarch.rpm | Linux |
| Pki-jackson-jaxrs-providers update (ELSA-2025-12280) ELSA-2025-12280 pki-jackson-jaxrs-providers-2.19.1-1.el9_6.noarch.rpm | Linux |
| Pki-jackson-annotations update (ELSA-2025-12280) ELSA-2025-12280 pki-jackson-annotations-2.19.1-1.el9_6.noarch.rpm | Linux |
| Pki-jackson-core update (ELSA-2025-12280) ELSA-2025-12280 pki-jackson-core-2.19.1-1.el9_6.noarch.rpm | Linux |
| Pki-jackson-databind update (ELSA-2025-12280) ELSA-2025-12280 pki-jackson-databind-2.19.1-1.el9_6.noarch.rpm | Linux |
| Pki-jackson-jaxrs-json-provider update (ELSA-2025-12280) ELSA-2025-12280 pki-jackson-jaxrs-json-provider-2.19.1-1.el9_6.noarch.rpm | Linux |
| jackson-core Security Update (ALAS2023-2025-1127) ALAS2023-2025-1127 jackson-core-2.16.1-4.amzn2023.0.1.noarch.rpm | Linux |
| Vulnerabilities CVE-2025-52999 are fixed in Jackson - jackson-core for Linux 2.15.0 | Linux |
| CVE-2025-52999 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234