CVE-2025-53864

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Published: Jul 11, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-53864
GHSA: GHSA-xwmg-2g98-w7v9
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWEs:

CWE-674

Affected Software
References

Software	From	Fixed in
com.nimbusds / nimbus-jose-jwt	10.0	10.0.2
com.nimbusds / nimbus-jose-jwt	-	9.37.4

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b
https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0

Vulnerability Database

CVE-2025-53864