CVE-2026-50193 - jackson-databind JsonNode deep nesting denial of service

CVE-2026-50193 - jackson-databind JsonNode deep nesting denial of service - High - 2026-06-23

Business risk: Small nested JSON payloads can consume outsized CPU/stack resources and take down API nodes.

Root cause: Unbounded JsonNode parsing and serialization of attacker-controlled nested structures causes resource exhaustion.

Affected versions

  • Vulnerable: jackson-databind 2.13.0 before 2.14.0 when deeply nested untrusted JSON is read as JsonNode and serialized with JsonNode.toString().
  • Fixed / safe target: Upgrade jackson-databind to 2.14.0+ and enforce maximum JSON nesting depth.
  • CVSS: 7.5 (High)

Exact vulnerable code pattern

JsonNode body = objectMapper.readTree(request.getInputStream());
return ResponseEntity.ok(body.toString());

Fixed / mitigated code pattern

JsonFactory factory = JsonFactory.builder()
    .streamReadConstraints(StreamReadConstraints.builder().maxNestingDepth(200).build())
    .build();
ObjectMapper objectMapper = new ObjectMapper(factory);
JsonNode body = objectMapper.readTree(request.getInputStream());
return ResponseEntity.ok(objectMapper.writeValueAsString(body));

Step-by-step integration guide

  1. Upgrade jackson-databind to 2.14.0+.
  2. Configure StreamReadConstraints or equivalent parser limits.
  3. Add a deeply nested payload regression test.
  4. Run API and serialization tests under concurrency.
  5. Deploy with request body size and timeout limits.

Alternative mitigations

  • Reject JSON bodies over strict nesting and byte-size limits at the gateway.
  • Avoid echoing JsonNode.toString() for untrusted input.
  • Rate-limit endpoints that parse arbitrary JSON.

Detection signature

rg -n "readTree\(|JsonNode\.toString\(|jackson-databind|StreamReadConstraints" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-50193: jackson-databind JsonNode deep nesting denial of service.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-50193 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, jackson-databind, java, json, dos, sellable_to_saas, enterprise_blocker, high
  • Affected tech stack: java/maven
  • Revenue tags: sellable_to_saas, enterprise_blocker

References