CVE-2025-53864

Source
https://cve.org/CVERecord?id=CVE-2025-53864
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-53864.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-53864
Aliases
Downstream
Related
Published
2025-07-11T00:00:00Z
Modified
2026-06-18T03:57:31.368849145Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53864.json",
    "cna_assigner": "mitre",
    "cwe_ids": [
        "CWE-674"
    ]
}
References

Affected packages

Git / bitbucket.org/connect2id/nimbus-jose-jwt

Affected ranges

Type
GIT
Repo
https://bitbucket.org/connect2id/nimbus-jose-jwt
Events
Introduced
ea6c9f4e12be004076ab9b0c76ebca26477adca5
Fixed
d245d7a32003b6ca247d80fc33da7c009b278c22
Introduced
f50158f96675591b27a327b4597280dfda4aac07
Fixed
392252c7a8f2e0c089f6537be32c440ea4e32ed1
Fixed
f7fb882cc08f027c9ceb874acec3b51c6222861c
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "10.0.x"
        },
        {
            "fixed": "10.0.2"
        },
        {
            "introduced": "9.37.x"
        },
        {
            "fixed": "9.37.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/google/gson
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

10.*
10.0
10.0.1
9.*
9.37
9.37.1
9.37.2
9.37.3
gson-parent-2.*
gson-parent-2.10
gson-parent-2.10.1
gson-parent-2.11.0
gson-parent-2.4
gson-parent-2.5
gson-parent-2.6
gson-parent-2.6.1
gson-parent-2.6.2
gson-parent-2.7
gson-parent-2.8.0
gson-parent-2.8.1
gson-parent-2.8.2
gson-parent-2.8.3
gson-parent-2.8.4
gson-parent-2.8.5
gson-parent-2.8.6
gson-parent-2.8.7
gson-parent-2.8.8
gson-parent-2.8.9
gson-parent-2.9.0
gson-parent-2.9.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-53864.json"