Allocation of Resources Without Limits or Throttling Affecting keycloak-config-cli package, versions *


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Social Trends
EPSS
0.55% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KEYCLOAKCONFIGCLI-17134352
  • published3 Jun 2026
  • disclosed6 Mar 2026

Introduced: 6 Mar 2026

CVE-2026-29062  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

There is no fixed version for Minimos:latest keycloak-config-cli.

NVD Description

Note: Versions mentioned in the description apply only to the upstream keycloak-config-cli package and not the keycloak-config-cli package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

CVSS Base Scores

version 3.1