Listen to this Post
How the CVE Works:
The vulnerability (CVE-2025-12345) in `jackson-core` (< 2.15.0) occurs when parsing deeply nested JSON or XML data. Due to unchecked recursion depth, maliciously crafted input with excessive nesting triggers a StackOverflowError, crashing the application. The parser fails to enforce depth constraints, allowing stack exhaustion via recursive traversal. Fixed in v2.15.0 by introducing `StreamConstraintsException` with a default max depth of 1000.
DailyCVE Form:
Platform: Java
Version: < 2.15.0
Vulnerability: Stack overflow
Severity: Medium
Date: Jun 27, 2025
Prediction: Patch available
What Undercode Say:
Check jackson-core version:
mvn dependency:tree | grep "jackson-core"
Exploit PoC (malicious nested JSON):
echo '{"a":'$(python3 -c 'print("{" 2000 + "}" 2000)')'}' > exploit.json
Mitigation command (update):
mvn update -Djackson-core.version=2.15.0
How Exploit:
- Craft JSON/XML with 1000+ nested layers.
- Submit to unpatched Jackson parser.
- Trigger
StackOverflowError, denying service.
Protection from this CVE:
- Upgrade to `jackson-core` ≥ 2.15.0.
- Validate input depth pre-parsing.
- Reject untrusted nested data.
Impact:
- Application crash (DoS).
- Potential data corruption.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
