CVE-2025-53864
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
| Software | From | Fixed in |
|---|---|---|
com.nimbusds / nimbus-jose-jwt
|
- | 9.37.4 |
|
com.nimbusds / nimbus-jose-jwt
|
9.38-rc1 | 10.0.2 |
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
- https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b
- https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime