Home

Description

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

PUBLISHED Reserved 2025-07-11 | Published 2025-07-11 | Updated 2025-09-23 | Assigner mitre




MEDIUM: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Problem types

CWE-674 Uncontrolled Recursion

Product status

Default status
unaffected

Any version before 10.0.2
affected

References

bitbucket.org/...583/stackoverflowerror-due-to-deeply-nested exploit

bitbucket.org/...583/stackoverflowerror-due-to-deeply-nested

github.com/...ompare/gson-parent-2.11.0...gson-parent-2.12.0

github.com/...ommit/1039427ff0100293dd3cf967a53a55282c0fef6b

bitbucket.org/...ts/f7fb882cc08f027c9ceb874acec3b51c6222861c

bitbucket.org/...3/back-port-cve-2025-53864-fix-to-9x-branch

cve.org (CVE-2025-53864)

nvd.nist.gov (CVE-2025-53864)

Download JSON