Source: jackson-core
Version: 2.14.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-core/pull/943
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for jackson-core.
CVE-2025-52999[0]:
| jackson-core contains core low-level incremental ("streaming")
| parser and generator abstractions used by Jackson Data Processor. In
| versions prior to 2.15.0, if a user parses an input file and it has
| deeply nested data, Jackson could end up throwing a
| StackoverflowError if the depth is particularly large. jackson-core
| 2.15.0 contains a configurable limit for how deep Jackson will
| traverse in an input document, defaulting to an allowable depth of
| 1000. jackson-core will throw a StreamConstraintsException if the
| limit is reached. jackson-databind also benefits from this change
| because it uses jackson-core to parse JSON inputs. As a workaround,
| users should avoid parsing input files from untrusted sources.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-52999
https://www.cve.org/CVERecord?id=CVE-2025-52999
[1] https://github.com/FasterXML/jackson-core/pull/943
[2]
https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
