Resource exhaustion in Fasterxml Jackson-databind

CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the…

Vulnerability class: DoS (Denial of Service)

Affected products

Fasterxml Jackson-databind — versions >= 2.10.0, < 2.14.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_CONFIRM)