Uncontrolled Recursion in Nimbus JOSE+JWT - CVE-2025-53864
Published: September 26, 2025
Vulnerability identifier: #VU116142
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:U/U:Green
CVE-ID: CVE-2025-53864
CWE-ID: CWE-674
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Connect2id Ltd.
Affected software:
Nimbus JOSE+JWT
Nimbus JOSE+JWT
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack via a deeply nested JSON object supplied in a JWT claim set.
How to mitigate CVE-2025-53864
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Sources
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
- https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b
- https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0