CVE-2026-50193: jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

June 23, 2026

Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service:

Reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree())
Writes out same (or modifided) node using JsonNode.toString()

which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB).

References

github.com/FasterXML/jackson-databind/commit/a1fa4ae4ecf5cee16da465985f135f3e81816f8c
github.com/FasterXML/jackson-databind/issues/3447
github.com/FasterXML/jackson-databind/security/advisories/GHSA-3wrr-7qpf-2prh
github.com/advisories/GHSA-3wrr-7qpf-2prh
nvd.nist.gov/vuln/detail/CVE-2026-50193

Code Behaviors & Features

Detect and mitigate CVE-2026-50193 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →