CVE-2025-53864

medium

Description

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

References

https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0

https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested

Details

Source: Mitre, NVD

Published: 2025-07-11

Updated: 2025-07-11

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 5.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Severity: Medium

EPSS

EPSS: 0.00095