CVE-2025-53864

5.8 MEDIUM

Published: July 11, 2025 Modified: April 15, 2026

Description

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c

Source: cve@mitre.org

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested

Source: cve@mitre.org

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch

Source: cve@mitre.org

https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b

Source: cve@mitre.org

https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0

Source: cve@mitre.org

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

6 reference(s) from NVD

Quick Stats

CVSS v3 Score

5.8 / 10.0

EPSS (Exploit Probability)

0.1%

20th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-674

Related CVEs

CVE-2026-41044 N/A

CVE-2026-41043 N/A

CVE-2026-40466 N/A

CVE-2025-62233 N/A

CVE-2026-6272 N/A