← Back to Research Index

CVE-2026-29062: Nesting Depth Bypass in DataInput Parser Leads to Unsafe Deserialization

Vulnerability Research | February 18, 2026
CVSS 4.0 Score 8.7 (High)
CWE Identification CWE-770
CVSS Vector String CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE CVE-2026-29062
Affected Versions jackson-core 3.x (up to 3.1.0-SNAPSHOT)

Summary

A security flaw was discovered in the UTF8DataInputJsonParser component of jackson-core, specifically affecting applications that parse JSON from java.io.DataInput sources. The vulnerability allows for a complete bypass of the maxNestingDepth constraint, which is designed to prevent stack overflow attacks. This occurs because the parser invokes internal context methods directly instead of using the parser's own validating helper methods. As a result, an attacker can craft deeply nested JSON structures that exhaust the thread's stack memory, leading to an immediate Denial-of-Service (DoS).

Impact

  1. Unchecked Recursion: The parser allows nested structures to reach arbitrary depths, bypassing the default security limit of 500.
  2. Stack Overflow Error: Each new nesting level consumes a stack frame; extreme depth leads to immediate process termination.
  3. Service Disruption: A single malicious payload can crash the worker thread, causing a targeted Denial-of-Service in critical application paths.

Description

The vulnerability stems from an inconsistency in how UTF8DataInputJsonParser handles the transition into new JSON objects or arrays. In most Jackson parsers, the createChildArrayContext() method of the parser itself is called. This method contains a critical call to validateNestingDepth().

Call Path: Vulnerable vs. Correct

VULNERABLE PATH (DataInput parser) _nextTokenNotInObject() sees '[' _streamReadContext .createChildArrayContext() JsonReadContext (no constraints ref) ❌ No depth check — BYPASS CORRECT PATH (other parsers) parser sees '[' / '{' parser.createChildArrayContext() validateNestingDepth() ← checks limit ✓ StreamConstraintsException thrown
// The Vulnerable Implementation (UTF8DataInputJsonParser, lines 689/692)
if (ch == '[') {
    // BUG: Directly calling the context, bypassing the validator in the parser
    _streamReadContext = _streamReadContext.createChildArrayContext(row, col);
    return JsonToken.START_ARRAY;
}

Because the JsonReadContext object does not have access to the parser's StreamReadConstraints, it cannot perform depth validation. When the UTF8DataInputJsonParser calls the context method directly, it bypasses the "gatekeeper" logic in the parser. An attacker can then nest arrays thousands of levels deep, each one adding a new frame to the JVM stack until it overflows.

Conclusion

This bypass demonstrates the risks inherent in direct object delegation when security logic is maintained at a higher abstraction layer. To remediate this vulnerability, applications using Jackson with DataInput sources should upgrade to jackson-core 3.1.0 or later. This version refactors the DataInput parser to use the standard, validated context-creation path, ensuring consistent enforcement of nesting limits across all input sources.

References

Special thanks to the Jackson maintainers for their exceptionally quick response and effective mitigations in addressing these findings.