The ArduinoJson’s parser contains a recursive function that is called each time an opening brace ({) or opening bracket ([) appears in the input. In other words, each object/array nesting level causes a recursive call.

This recursive call is a security risk because an attacker could craft a JSON input with many opening brackets to cause a stack overflow.

To protect against this security risk, ArduinoJson limits the number of nesting levels. The macro ARDUINOJSON_DEFAULT_NESTING_LIMIT sets the default value. This value is 10 if ARDUINO is defined, 50 otherwise.

If your JSON input contains more nesting levels that allowed, you have two options.

The first option is to define the macro to a higher value, which changes the nesting limit for the whole program. Here is an example:

#define ARDUINOJSON_DEFAULT_NESTING_LIMIT 20
#include <ArduinoJson.hpp>

The second option is to use the optional parameter of deserializeJson(), which changes the nesting limit for one call only. Here is an example:

deserializeJson(doc, input, DeserializationOption::NestingLimit(20));

Everything we saw in this page equally applies to MessagePack.