CVE-2020-36518

Q: What is the severity of CVE-2020-36518?

CVE-2020-36518 has a CVSS score of 7.5 (HIGH). CVE-2020-36518 is a denial-of-service vulnerability in Jackson Databind where processing deeply nested JSON objects causes a Java StackOverflowError, crashing the application. This affects any Java application using vulnerable Jackson Databind versions to deserialize untrusted JSON data. The vulnerability requires no authentication and can be triggered by any user or system that can send JSON input.

7.5 HIGH

Denial of Service Deserialization

📋 TL;DR

CVE-2020-36518 is a denial-of-service vulnerability in Jackson Databind where processing deeply nested JSON objects causes a Java StackOverflowError, crashing the application. This affects any Java application using vulnerable Jackson Databind versions to deserialize untrusted JSON data. The vulnerability requires no authentication and can be triggered by any user or system that can send JSON input.

💻 Affected Systems

Products:

Jackson Databind
Any Java application using Jackson Databind for JSON processing

Versions: All versions before 2.13.0

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when processing untrusted JSON data. Applications must deserialize JSON from untrusted sources to be exploitable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to sustained denial of service, potentially affecting multiple services if Jackson is used in critical infrastructure components.

🟠

Likely Case

Application instability and intermittent crashes when processing malicious JSON payloads, resulting in service disruption.

🟢

If Mitigated

Minimal impact if input validation limits JSON depth or if the application is patched and properly configured.

🌐 Internet-Facing: HIGH - Any internet-facing service accepting JSON input could be crashed by unauthenticated attackers sending malicious payloads.

🏢 Internal Only: MEDIUM - Internal services could still be affected by malicious internal users or compromised systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - send a JSON payload with deeply nested objects. No authentication required. Public proof-of-concept code exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.13.0 or later

Vendor Advisory: https://github.com/FasterXML/jackson-databind/issues/2816

Restart Required: Yes

Instructions:

1. Update Jackson Databind dependency to version 2.13.0 or higher. 2. Update pom.xml or build.gradle to use the new version. 3. Rebuild and redeploy the application. 4. Restart the application server.

🔧 Temporary Workarounds

Input validation and depth limiting

all

Implement JSON parsing with depth limits before deserialization

// Java code example: Use JsonParser.Feature.STRICT_DUPLICATE_DETECTION
// Configure ObjectMapper with max nesting depth validation

WAF rule for JSON depth

linux

Configure web application firewall to reject JSON with excessive nesting

# Example ModSecurity rule: SecRule REQUEST_BODY "@rx \{\\s*\{\\s*\{\\s*\{\\s*\{\\s*\{\\s*\{\\s*\{\\s*\{\\s*\{" "id:1001,phase:2,deny,status:400,msg:'JSON nesting depth attack'"

🧯 If You Can't Patch

Implement strict input validation to limit JSON nesting depth before deserialization
Deploy WAF with rules to detect and block JSON payloads with excessive nesting

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for Jackson Databind version. If version is below 2.13.0 and the application processes JSON from untrusted sources, it is vulnerable.

Check Version:

mvn dependency:tree | grep jackson-databind OR gradle dependencies | grep jackson-databind OR check pom.xml/build.gradle for version

Verify Fix Applied:

Verify Jackson Databind version is 2.13.0 or higher in deployed application. Test with a JSON payload containing deeply nested objects to ensure no StackOverflowError occurs.

📡 Detection & Monitoring

Log Indicators:

StackOverflowError in application logs
Java.lang.StackOverflowError exceptions
Application crashes during JSON processing

Network Indicators:

Large JSON payloads with repeated nesting patterns
HTTP 500 errors following JSON POST requests

SIEM Query:

source="application.logs" AND "StackOverflowError" AND "jackson" OR source="web.logs" AND status=500 AND content_type="application/json"

📊 Metadata

CVE ID: CVE-2020-36518

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: March 11, 2022

Last Updated: August 27, 2025

🔗 References

https://github.com/FasterXML/jackson-databind/issues/2816 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html Exploit,Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220506-0004/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5283 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://github.com/FasterXML/jackson-databind/issues/2816 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html Exploit,Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220506-0004/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5283 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Big Data Spatial And Graph by Oracle

Cloud Insights Acquisition Unit by Netapp

Coherence by Oracle

Commerce Platform by Oracle

Commerce Platform by Oracle

Commerce Platform by Oracle

Communications Billing And Revenue Management by Oracle

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Console by Oracle

Communications Cloud Native Core Network Repository Function by Oracle

Communications Cloud Native Core Network Repository Function by Oracle

Communications Cloud Native Core Network Slice Selection Function by Oracle

Communications Cloud Native Core Network Slice Selection Function by Oracle

Communications Cloud Native Core Security Edge Protection Proxy by Oracle

Communications Cloud Native Core Service Communication Proxy by Oracle

Communications Cloud Native Core Unified Data Repository by Oracle

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Analytical Applications Infrastructure by Oracle

Financial Services Behavior Detection Platform by Oracle

Financial Services Behavior Detection Platform by Oracle

Financial Services Behavior Detection Platform by Oracle

Financial Services Crime And Compliance Management Studio by Oracle

Financial Services Crime And Compliance Management Studio by Oracle

Financial Services Enterprise Case Management by Oracle

Financial Services Enterprise Case Management by Oracle

Financial Services Enterprise Case Management by Oracle

Financial Services Enterprise Case Management by Oracle

Financial Services Enterprise Case Management by Oracle

Financial Services Trade Based Anti Money Laundering by Oracle

Financial Services Trade Based Anti Money Laundering by Oracle

Global Lifecycle Management Nextgen Oui Framework by Oracle

Global Lifecycle Management Nextgen Oui Framework by Oracle

Global Lifecycle Management Opatch by Oracle

Graph Server And Client by Oracle

Health Sciences Empirica Signal by Oracle

Jackson Databind by Fasterxml

Jackson Databind by Fasterxml

Oncommand Insight by Netapp

Oncommand Workflow Automation by Netapp

Peoplesoft Enterprise Peopletools by Oracle

Peoplesoft Enterprise Peopletools by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera Gateway by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera P6 Enterprise Project Portfolio Management by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Retail Sales Audit by Oracle

Sd Wan Edge by Oracle

Sd Wan Edge by Oracle

Snap Creator Framework by Netapp

Spatial Studio by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Utilities Framework by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle

Weblogic Server by Oracle