CVE-2025-53864

MEDIUM

Connect2id Nimbus JOSE + JWT <10.0.2-9.37.4 - DoS

Title source: llm

Description

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

References (5)

Core 5

Core References

Various Sources

https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0

Patch

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c

View Patch ZIP pw:eip

Patch

https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b

View Patch ZIP pw:eip

Issue Tracking

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested

Issue Tracking

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch

Scores

CVSS v3 5.8

EPSS 0.0081

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (2)

com.nimbusds/nimbus-jose-jwt 9.38-rc1 - 10.0.2Maven

Connect2id/Nimbus JOSE+JWT < 10.0.2

Published Jul 11, 2025

Tracked Since Feb 18, 2026