Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/23476?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23476?format=api", "vulnerability_id": "VCID-ubx4-dx4j-67dd", "summary": "jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion\n### Summary\nThe `UTF8DataInputJsonParser`, which is used when parsing from a `java.io.DataInput` source, bypasses the `maxNestingDepth` constraint (default: 500) defined in `StreamReadConstraints`.\n\nA similar issue was found in `ReaderBasedJsonParser`.\n\nThis allows a user to supply a JSON document with excessive nesting, which can cause a `StackOverflowError` when the structure is processed, leading to a Denial of Service (DoS).\n\nThe related fix for com.fasterxml.jackson.core:jackson-core, CVE-2025-52999, was not fully applied to tools.jackson.core:jackson-core until the 3.1.0 release. It is recommended that 3.0.x users upgrade.\n\n### Patches\njackson-core contains a configurable limit for how deep Jackson will traverse in an input document. This check was missing in a few places in tools.jackson.core:jackson-core. \n\nThe change is in https://github.com/FasterXML/jackson-core/pull/1554. jackson-core will throw a StreamConstraintsException if the limit is reached.\n\njackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.\n\n### Workarounds\nUsers should avoid parsing input files from untrusted sources.\n\n### Resources\n[GHSA-6v53-7c9g-w56r](https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r)\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-52999\nhttps://github.com/FasterXML/jackson-core/pull/1554", "aliases": [ { "alias": "CVE-2026-29062" }, { "alias": "GHSA-6v53-7c9g-w56r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/925792?format=api", "purl": "pkg:deb/debian/jackson-core@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-core@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/925789?format=api", "purl": "pkg:deb/debian/jackson-core@2.12.1-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-395t-bxwj-7fcu" }, { "vulnerability": "VCID-pwnn-qx48-ykae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-core@2.12.1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/925790?format=api", "purl": "pkg:deb/debian/jackson-core@2.14.1-1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pwnn-qx48-ykae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-core@2.14.1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1067553?format=api", "purl": "pkg:deb/debian/jackson-core@2.14.1-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-core@2.14.1-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/64508?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.1.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/147408?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" }, { "vulnerability": "VCID-evmb-e63r-rfcy" }, { "vulnerability": "VCID-ubx4-dx4j-67dd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/1000182?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" }, { "vulnerability": "VCID-evmb-e63r-rfcy" }, { "vulnerability": "VCID-ubx4-dx4j-67dd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1000183?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" }, { "vulnerability": "VCID-evmb-e63r-rfcy" }, { "vulnerability": "VCID-ubx4-dx4j-67dd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.0.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/1000184?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" }, { "vulnerability": "VCID-evmb-e63r-rfcy" }, { "vulnerability": "VCID-ubx4-dx4j-67dd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.0.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/1000185?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" }, { "vulnerability": "VCID-evmb-e63r-rfcy" }, { "vulnerability": "VCID-ubx4-dx4j-67dd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/1000186?format=api", "purl": "pkg:maven/tools.jackson.core/jackson-core@3.1.0-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dvxx-f126-g3gb" }, { "vulnerability": "VCID-evmb-e63r-rfcy" }, { "vulnerability": "VCID-ubx4-dx4j-67dd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/tools.jackson.core/jackson-core@3.1.0-rc1" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29062.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29062.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29062", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04603", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04582", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05434", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05433", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05391", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05353", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05198", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05251", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05471", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05427", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05196", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05258", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05293", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05314", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05279", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05264", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29062" }, { "reference_url": "https://github.com/FasterXML/jackson-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FasterXML/jackson-core" }, { "reference_url": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:02:22Z/" } ], "url": "https://github.com/FasterXML/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902" }, { "reference_url": "https://github.com/FasterXML/jackson-core/pull/1554", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:02:22Z/" } ], "url": "https://github.com/FasterXML/jackson-core/pull/1554" }, { "reference_url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:02:22Z/" } ], "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-6v53-7c9g-w56r" }, { "reference_url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29062", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29062" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445135", "reference_id": "2445135", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445135" }, { "reference_url": "https://github.com/advisories/GHSA-6v53-7c9g-w56r", "reference_id": "GHSA-6v53-7c9g-w56r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6v53-7c9g-w56r" } ], "weaknesses": [ { "cwe_id": 770, "name": "Allocation of Resources Without Limits or Throttling", "description": "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor." }, { "cwe_id": 1284, "name": "Improper Validation of Specified Quantity in Input", "description": "The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ubx4-dx4j-67dd" }