### Impact Potential Denial-of-Service when attacker sends deeply nested JSON if (and only if) service: 1. Reads deeply nested (1000s of levels) JSON as `JsonNode` (ObjectMapper.readTree()) 2. Writes out same (or modifided) node using `JsonNode.toString()` which can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). ### Patches Fixed in 2.14.0 via https://github.com/FasterXML/jackson-databind/issues/3447. ### Workarounds Avoid serializing `JsonNode` using `toString()`: use ObjectMapper.writeValueAsString(node)
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free