Vulnerability Description
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-d
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-5
- https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b
- https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-d
FAQ
What is CVE-2025-53864?
CVE-2025-53864 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of...
How severe is CVE-2025-53864?
CVE-2025-53864 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-53864?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.