CVE-2026-50193: CWE-400: Uncontrolled Resource Consumption in FasterXML jackson-databind
A denial-of-service vulnerability exists in FasterXML jackson-databind versions from 2.13.0 up to but not including 2.14.0. The issue occurs when processing deeply nested JSON structures (thousands of levels) using ObjectMapper.readTree() and then serializing the JsonNode back to a string. This can lead to uncontrolled resource consumption, potentially impacting service availability. The vulnerability is fixed in version 2.14.0.
AI Analysis
Technical Summary
CVE-2026-50193 describes an uncontrolled resource consumption vulnerability (CWE-400) in FasterXML jackson-databind's data-binding and tree-model functionality. Specifically, versions from 2.13.0 until 2.14.0 are affected when an attacker sends deeply nested JSON (thousands of levels) that is parsed into a JsonNode via ObjectMapper.readTree() and then serialized back using JsonNode.toString(). This process can consume significant CPU and memory resources, enabling denial-of-service conditions with relatively small payloads (~2KB for 1000 nested arrays). The vulnerability is resolved in version 2.14.0.
Potential Impact
An attacker can cause a denial-of-service by sending deeply nested JSON data that triggers excessive resource consumption during parsing and serialization. This can degrade or disrupt service availability. The impact is limited to scenarios where the application reads deeply nested JSON as a JsonNode and serializes it back, which may not be common in all uses of jackson-databind.
Mitigation Recommendations
Upgrade jackson-databind to version 2.14.0 or later, where this vulnerability is fixed. There is no indication of any temporary or alternative mitigations. Patch status is confirmed fixed in 2.14.0.
CVE-2026-50193: CWE-400: Uncontrolled Resource Consumption in FasterXML jackson-databind
Description
A denial-of-service vulnerability exists in FasterXML jackson-databind versions from 2.13.0 up to but not including 2.14.0. The issue occurs when processing deeply nested JSON structures (thousands of levels) using ObjectMapper.readTree() and then serializing the JsonNode back to a string. This can lead to uncontrolled resource consumption, potentially impacting service availability. The vulnerability is fixed in version 2.14.0.
CVSS v4.0
Score 6.3medium
Affected software
pkg:maven/com.fasterxml.jackson.core/jackson-databindRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-50193 describes an uncontrolled resource consumption vulnerability (CWE-400) in FasterXML jackson-databind's data-binding and tree-model functionality. Specifically, versions from 2.13.0 until 2.14.0 are affected when an attacker sends deeply nested JSON (thousands of levels) that is parsed into a JsonNode via ObjectMapper.readTree() and then serialized back using JsonNode.toString(). This process can consume significant CPU and memory resources, enabling denial-of-service conditions with relatively small payloads (~2KB for 1000 nested arrays). The vulnerability is resolved in version 2.14.0.
Potential Impact
An attacker can cause a denial-of-service by sending deeply nested JSON data that triggers excessive resource consumption during parsing and serialization. This can degrade or disrupt service availability. The impact is limited to scenarios where the application reads deeply nested JSON as a JsonNode and serializes it back, which may not be common in all uses of jackson-databind.
Mitigation Recommendations
Upgrade jackson-databind to version 2.14.0 or later, where this vulnerability is fixed. There is no indication of any temporary or alternative mitigations. Patch status is confirmed fixed in 2.14.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-03T22:05:13.645Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3af602eed863c81e9ec623
Added to database: 06/23/2026, 21:09:22 UTC
Last enriched: 06/23/2026, 21:24:49 UTC
Last updated: 06/23/2026, 22:26:29 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.