Allocation of Resources Without Limits or Throttling Affecting camunda-8.9 package, versions <8.9.0-r1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.55% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-CAMUNDA89-16094924
  • published17 Apr 2026
  • disclosed6 Mar 2026

Introduced: 6 Mar 2026

CVE-2026-29062  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Chainguard camunda-8.9 to version 8.9.0-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream camunda-8.9 package and not the camunda-8.9 package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

CVSS Base Scores

version 3.1