Listen to this Post
How CVE-2026-50193 Works
This vulnerability resides in the `toString()` method of Jackson’s `JsonNode` abstraction. Jackson is a widely-used Java library for processing JSON data, and `JsonNode` is its tree model representation of JSON. The `toString()` method is commonly called to get a string representation of a parsed JSON node, often for logging, debugging, or string manipulation. The core of the problem is that `toString()` performs a recursive traversal of the `JsonNode` tree to serialize it into a JSON string.
An attacker can exploit this by providing a JSON payload with extreme nesting depth—for example, 50,000 levels of nested objects. When the application parses this JSON using `ObjectMapper.readTree()` and subsequently calls `toString()` on the resulting JsonNode, the recursive traversal of this deeply nested structure causes the Java call stack to exceed its limit, resulting in a StackOverflowError. This error crashes the current thread, leading to a denial-of-service (DoS) condition.
The vulnerability is triggered under a specific set of conditions: the service must use `ObjectMapper.readTree()` to parse JSON into a `JsonNode` and then call `toString()` on that node. Notably, the parsing step itself (readTree) is not vulnerable; it is the subsequent `toString()` call that is problematic. The impact is amplified because the nested payload can be relatively small in size—a 1000-level nested array is only about 2 kilobytes—allowing an attacker to launch a DoS attack with minimal bandwidth, causing significant resource consumption even with concurrent small requests. The vulnerable code path was introduced in version 2.10.0 and exists up to version 2.13.5.
The fix, implemented in version 2.14.0, changes the `toString()` serialization to be iterative rather than recursive, eliminating the stack overflow risk. Users are advised to upgrade to this version or avoid using `toString()` on untrusted `JsonNode` instances as a workaround.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | FasterXML jackson-databind |
| Version | 2.10.0 through 2.13.5 |
| Vulnerability | StackOverflowError on `JsonNode.toString()` |
| Severity | Moderate (DoS) |
| Date | June 23, 2026 |
| Prediction | Already patched (2.14.0) |
What Undercode Say (Analytics)
The vulnerability is triggered when an application calls `toString()` on a `JsonNode` parsed from a deeply nested JSON. Below is a proof-of-concept code to reproduce the issue:
int depth = 50000;
StringBuilder jsonString = new StringBuilder();
jsonString.append("{");
for (int i = 0; i < depth; i++) {
jsonString.append(String.format("\"abc%s\": {", i));
}
for (int i = 0; i < depth; i++) {
jsonString.append("}");
}
jsonString.append("}");
InputStream inputStream = new ByteArrayInputStream(
jsonString.toString().getBytes(StandardCharsets.UTF_8)
);
ObjectMapper objectMapper = new ObjectMapper();
JsonNode jsonNode = objectMapper.readTree(inputStream);
jsonNode.toString(); // Throws StackOverflowError
Key Analytics:
- Attack Vector: Remote, unauthenticated.
- Payload Size: Minimal (~2KB for 1000 nests).
- Impact: Thread crash, leading to application DoS.
- Affected Versions: 2.10.0 to 2.13.5.
- Fixed Version: 2.14.0.
Exploit
An attacker can craft a JSON payload with extreme nesting, as shown above, and send it to a vulnerable endpoint that parses the JSON into a `JsonNode` and calls `toString()` on it. The `StackOverflowError` will crash the processing thread, potentially taking down the entire service if the thread is critical or if the attack is repeated concurrently. No special privileges are required, and the attack can be performed over the network.
Protection
- Upgrade: Update to `jackson-databind` version 2.14.0 or later, where the issue is fixed.
- Workaround: Avoid calling `toString()` on `JsonNode` instances derived from untrusted input. Use `ObjectMapper.writeValueAsString(node)` instead, which does not suffer from this recursion issue.
- Input Validation: Implement depth limits on incoming JSON payloads to reject excessively nested structures before parsing.
- Rate Limiting: Apply rate limiting to endpoints that process JSON to mitigate the impact of repeated attacks.
Impact
Successful exploitation results in a denial-of-service condition where the application thread crashes due to a StackOverflowError. This can lead to service unavailability, especially if the vulnerability is triggered repeatedly. The attack requires minimal resources from the attacker and can be executed remotely, making it a significant risk for applications that parse untrusted JSON and use JsonNode.toString().
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
