jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
Moderate severity
GitHub Reviewed
Published
May 28, 2026
in
FasterXML/jackson-databind
•
Updated Jun 23, 2026
Package
Affected versions
>= 2.10.0, <= 2.13.5
Patched versions
2.14.0
Description
Published to the GitHub Advisory Database
Jun 23, 2026
Reviewed
Jun 23, 2026
Last updated
Jun 23, 2026
Impact
Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:
JsonNode(ObjectMapper.readTree())JsonNode.toString()which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).
Patches
Fixed in 2.14.0 via FasterXML/jackson-databind#3447.
Workarounds
Avoid serializing
JsonNodeusingtoString(): use ObjectMapper.writeValueAsString(node)References