The vulnerability CVE-2026-29062 affects the jackson-core library, specifically versions from 3.0.0 up to but not including 3.1.0. Jackson-core is a widely used Java library for processing JSON data, providing core low-level streaming parser and generator abstractions. The issue lies in the UTF8DataInputJsonParser and ReaderBasedJsonParser components, which parse JSON input from java.io.DataInput and Reader sources respectively. These parsers bypass the maxNestingDepth constraint, which is intended to limit the depth of nested JSON structures to prevent resource exhaustion. The default maxNestingDepth is set to 500 in StreamReadConstraints. By supplying a JSON document with excessive nesting beyond this limit, an attacker can cause the parser to recurse deeply, ultimately triggering a StackOverflowError. This results in a denial of service (DoS) condition by crashing the application or service using the vulnerable jackson-core version. The vulnerability is classified under CWE-770, which refers to allocation of resources without limits or throttling, leading to potential resource exhaustion. The flaw does not require any authentication or user interaction to exploit, and the attack vector is network-based (remote). The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity. Although no known exploits have been reported in the wild, the widespread use of jackson-core in Java applications makes this a significant risk. The issue was addressed and patched in jackson-core version 3.1.0, restoring enforcement of the maxNestingDepth constraint to prevent excessive recursion.

This vulnerability can have a significant impact on organizations worldwide that use jackson-core versions 3.0.0 to before 3.1.0 in their Java applications and services. An attacker can remotely send crafted JSON payloads with deeply nested structures to trigger a StackOverflowError, causing the affected application to crash or become unresponsive, resulting in denial of service. This can disrupt critical business operations, degrade service availability, and potentially lead to cascading failures in distributed systems relying on JSON processing. Since no authentication or user interaction is required, the attack surface is broad, increasing the likelihood of exploitation attempts. Organizations running public-facing APIs, microservices, or backend systems that parse JSON with jackson-core are particularly at risk. The vulnerability does not directly compromise confidentiality or integrity but can severely impact availability. The lack of throttling or limits on resource allocation in the vulnerable parsers exacerbates the risk of resource exhaustion attacks. Given jackson-core's popularity in enterprise Java environments, the potential scale of impact is considerable.

To mitigate this vulnerability, organizations should immediately upgrade jackson-core to version 3.1.0 or later, where the maxNestingDepth constraint enforcement has been restored. If upgrading is not immediately feasible, implement input validation and filtering at the application or API gateway level to detect and reject JSON payloads with excessive nesting depth. Employ runtime monitoring and alerting for application crashes or StackOverflowErrors related to JSON parsing. Consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to identify and block suspiciously nested JSON inputs. Review and harden JSON parsing configurations to enforce strict limits on nesting depth where possible. Conduct thorough testing of JSON input handling to ensure resilience against resource exhaustion attacks. Maintain an inventory of applications and services using jackson-core to prioritize patching efforts. Finally, monitor security advisories and threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.