VYPR
Medium severity5.8OSV Advisory· Published Jul 11, 2025· Updated Apr 15, 2026

CVE-2025-53864

CVE-2025-53864

Description

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.nimbusds:nimbus-jose-jwtMaven
>= 9.38-rc1, < 10.0.210.0.2
com.nimbusds:nimbus-jose-jwtMaven
< 9.37.49.37.4

Affected products

48

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.