Home > Vulnerability Database > CVE-2025-53864

Mend.io Vulnerability Database

CVE-2025-53864

Good to know:

Date: July 10, 2025

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Severity Score

7.5

Related Resources (8)

Url: https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0

Url: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch

Url: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-53864

Url: https://bitbucket.org/connect2id/nimbus-jose-jwt

Url: https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b

Url: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested

Url: https://www.mend.io/vulnerability-database/CVE-2025-53864

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version com.nimbusds:nimbus-jose-jwt:10.0.2;com.nimbusds:nimbus-jose-jwt:9.37.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-53864

Good to know:

Date: July 10, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?