VulnerableCode Package Details - pkg:deb/debian/jackson-core@0?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ubx4-dx4j-67dd	jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion ### Summary The `UTF8DataInputJsonParser`, which is used when parsing from a `java.io.DataInput` source, bypasses the `maxNestingDepth` constraint (default: 500) defined in `StreamReadConstraints`. A similar issue was found in `ReaderBasedJsonParser`. This allows a user to supply a JSON document with excessive nesting, which can cause a `StackOverflowError` when the structure is processed, leading to a Denial of Service (DoS). The related fix for com.fasterxml.jackson.core:jackson-core, CVE-2025-52999, was not fully applied to tools.jackson.core:jackson-core until the 3.1.0 release. It is recommended that 3.0.x users upgrade. ### Patches jackson-core contains a configurable limit for how deep Jackson will traverse in an input document. This check was missing in a few places in tools.jackson.core:jackson-core. The change is in https://github.com/FasterXML/jackson-core/pull/1554. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. ### Workarounds Users should avoid parsing input files from untrusted sources. ### Resources [GHSA-6v53-7c9g-w56r](https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r) https://nvd.nist.gov/vuln/detail/CVE-2025-52999 https://github.com/FasterXML/jackson-core/pull/1554	CVE-2026-29062 GHSA-6v53-7c9g-w56r

Vulnerability

Summary

Aliases

VCID-ubx4-dx4j-67dd

jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion ### Summary The `UTF8DataInputJsonParser`, which is used when parsing from a `java.io.DataInput` source, bypasses the `maxNestingDepth` constraint (default: 500) defined in `StreamReadConstraints`. A similar issue was found in `ReaderBasedJsonParser`. This allows a user to supply a JSON document with excessive nesting, which can cause a `StackOverflowError` when the structure is processed, leading to a Denial of Service (DoS). The related fix for com.fasterxml.jackson.core:jackson-core, CVE-2025-52999, was not fully applied to tools.jackson.core:jackson-core until the 3.1.0 release. It is recommended that 3.0.x users upgrade. ### Patches jackson-core contains a configurable limit for how deep Jackson will traverse in an input document. This check was missing in a few places in tools.jackson.core:jackson-core. The change is in https://github.com/FasterXML/jackson-core/pull/1554. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. ### Workarounds Users should avoid parsing input files from untrusted sources. ### Resources [GHSA-6v53-7c9g-w56r](https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r) https://nvd.nist.gov/vuln/detail/CVE-2025-52999 https://github.com/FasterXML/jackson-core/pull/1554

CVE-2026-29062
GHSA-6v53-7c9g-w56r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:42:33.284766+00:00	Debian Importer	Fixing	VCID-ubx4-dx4j-67dd	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:14:36.897558+00:00	Debian Importer	Fixing	VCID-ubx4-dx4j-67dd	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:27:45.500728+00:00	Debian Importer	Fixing	VCID-ubx4-dx4j-67dd	https://security-tracker.debian.org/tracker/data/json	38.1.0