CVE-2025-52999: 
Java vulnerability analysis and mitigation

CVE-2025-52999 affects jackson-core, a core low-level incremental parser and generator abstraction used by Jackson Data Processor. The vulnerability was discovered and disclosed on June 25, 2025, affecting versions prior to 2.15.0. The issue occurs when parsing input files containing deeply nested data structures, which could lead to a StackoverflowError if the nesting depth is particularly large (GitHub Advisory, NVD).

The vulnerability stems from jackson-core's handling of deeply nested data structures during parsing. When processing input files with excessive nesting levels, the parser could encounter a StackoverflowError. The issue has been assigned a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability can lead to a denial of service condition through stack exhaustion when processing deeply nested JSON data. This affects applications using jackson-core for JSON parsing, particularly through jackson-databind, which relies on jackson-core for its parsing operations (GitHub Advisory).

The vulnerability has been fixed in jackson-core version 2.15.0, which introduces a configurable limit for document traversal depth, defaulting to 1000 levels. When this limit is reached, the parser throws a StreamConstraintsException instead of encountering a StackoverflowError. As a temporary workaround, users should avoid parsing input files from untrusted sources (GitHub Advisory, GitHub PR).

The vulnerability has been acknowledged by Red Hat, which has issued security updates for affected products including OpenShift Jenkins (Red Hat Advisory).