CVE-2022-42004

CVE-2022-42004: Death by a Thousand Brackets in Jackson-databind

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 2, 2026·5 min read·2 visits

Executive Summary (TL;DR)

If you use Jackson to deserialize JSON and have `UNWRAP_SINGLE_VALUE_ARRAYS` enabled, a payload like `[[[[...]]]]` will crash your application via stack exhaustion. Update to 2.13.4 or disable the feature.

A high-severity Denial of Service vulnerability in the ubiquitous FasterXML jackson-databind library. By exploiting the UNWRAP_SINGLE_VALUE_ARRAYS feature with deeply nested JSON arrays, attackers can trigger a StackOverflowError, crashing JVMs with trivial payloads.

Official Patches

FasterXMLIssue Tracker #3590
DebianDebian Security Tracker

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.14%
Top 35% most exploited

Affected Systems

Java applications using jackson-databind < 2.13.4Spring Boot applications (depend on Jackson)Microservices with UNWRAP_SINGLE_VALUE_ARRAYS enabled

Affected Versions Detail

Product
Affected Versions
Fixed Version
jackson-databind
FasterXML
< 2.13.42.13.4
jackson-databind
FasterXML
2.12.0 - 2.12.72.12.7.1
AttributeDetail
CWECWE-674 (Uncontrolled Recursion)
CVSS7.5 (High)
Attack VectorNetwork
Availability ImpactHigh (Stack Exhaustion)
Exploit ComplexityLow
AuthenticationNone

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1499.003Application Exhaustion
Impact
CWE-674
Uncontrolled Recursion

Uncontrolled Recursion

Known Exploits & Detection

GitHubOriginal issue report with reproduction steps

Vulnerability Timeline

Issue Reported & Fixed in Codebase
2022-09-14
Release 2.13.4 published
2022-10-02
CVE-2022-42004 assigned
2022-10-06

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.