CVE-2026-50193
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
A vulnerability in jackson-databind from version 2.13.0 to 2.14.0 allows a DoS attack by sending deeply nested JSON (thousands of levels) read as JsonNode and written via toString(). Even small requests (1000 nested arrays is 2kB) can significantly consume system resources.
Risk Assessment
An attacker can overload the server by sending multiple small but deeply nested JSON requests, leading to resource exhaustion and denial of service for legitimate users.
Recommendation
Immediately update jackson-databind to version 2.14.0 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.

