CVE Catalog

CVE-2026-50193

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.62%

45th percentile — higher than 45% of all known CVEs

Summary

A vulnerability in jackson-databind from version 2.13.0 to 2.14.0 allows a DoS attack by sending deeply nested JSON (thousands of levels) read as JsonNode and written via toString(). Even small requests (1000 nested arrays is 2kB) can significantly consume system resources.

Risk Assessment

An attacker can overload the server by sending multiple small but deeply nested JSON requests, leading to resource exhaustion and denial of service for legitimate users.

Recommendation

Immediately update jackson-databind to version 2.14.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS