Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53864.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-674"
]
}{
"source": [
"DESCRIPTION",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "10.0.x"
},
{
"fixed": "10.0.2"
},
{
"introduced": "9.37.x"
},
{
"fixed": "9.37.4"
}
]
}