Medium severity5.8OSV Advisory· Published Jul 11, 2025· Updated Apr 15, 2026
CVE-2025-53864
CVE-2025-53864
Description
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.nimbusds:nimbus-jose-jwtMaven | >= 9.38-rc1, < 10.0.2 | 10.0.2 |
com.nimbusds:nimbus-jose-jwtMaven | < 9.37.4 | 9.37.4 |
Affected products
48- Range: 10.0, 10.0.1, 9.37, …
- osv-coords47 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-registrypkg:apk/chainguard/apache-nifi-registry-toolkitpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/apicurio-registrypkg:apk/chainguard/apicurio-registry-nginx-configpkg:apk/chainguard/apicurio-registry-uipkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.6-compatpkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.7-compatpkg:apk/chainguard/druidpkg:apk/chainguard/elasticsearch-7pkg:apk/chainguard/elasticsearch-7-bitnamipkg:apk/chainguard/elasticsearch-7-iamguardedpkg:apk/chainguard/flywaypkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/nacospkg:apk/chainguard/nacos-dockerpkg:apk/chainguard/spark-4.1pkg:apk/chainguard/tezpkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/akhqpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-registrypkg:apk/wolfi/apache-nifi-registry-toolkitpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/apicurio-registrypkg:apk/wolfi/apicurio-registry-nginx-configpkg:apk/wolfi/apicurio-registry-uipkg:apk/wolfi/druidpkg:apk/wolfi/flywaypkg:apk/wolfi/spark-4.1pkg:apk/wolfi/tezpkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/com.nimbusds/nimbus-jose-jwt
< 0.26.0-r0+ 46 more
- (no CPE)range: < 0.26.0-r0
- (no CPE)range: < 2.4.0-r6
- (no CPE)range: < 2.4.0-r6
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 2.4.0-r6
- (no CPE)range: < 3.0.9-r6
- (no CPE)range: < 3.0.9-r6
- (no CPE)range: < 3.0.9-r6
- (no CPE)range: < 8.6.21-r1
- (no CPE)range: < 8.6.21-r1
- (no CPE)range: < 8.7.7-r1
- (no CPE)range: < 8.7.7-r1
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 7.17.29-r2
- (no CPE)range: < 7.17.29-r2
- (no CPE)range: < 7.17.29-r2
- (no CPE)range: < 11.16.0-r0
- (no CPE)range: < 3.3.6-r5
- (no CPE)range: < 3.2.0-r2
- (no CPE)range: < 3.2.0-r1
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 0.10.5-r3
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 0.26.0-r0
- (no CPE)range: < 2.4.0-r6
- (no CPE)range: < 2.4.0-r6
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 2.4.0-r6
- (no CPE)range: < 3.0.9-r6
- (no CPE)range: < 3.0.9-r6
- (no CPE)range: < 3.0.9-r6
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 11.16.0-r0
- (no CPE)range: < 4.1.0-r1
- (no CPE)range: < 0.10.5-r3
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: < 36.0.1-r6
- (no CPE)range: >= 9.38-rc1, < 10.0.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-xwmg-2g98-w7v9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53864ghsaADVISORY
- bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861cnvdWEB
- bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nestednvdWEB
- bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branchnvdWEB
- github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6bnvdWEB
- github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0nvdWEB
News mentions
0No linked articles in our index yet.