CVE-2025-53864 — Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSO

Description

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

How to fix CVE-2025-53864

To remediate CVE-2025-53864, upgrade the affected package to a fixed version below.

—upgrade to 10.0.2 or later

Is CVE-2025-53864 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 9.38-rc1, < 10.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53864
PATCHbitbucket.org/connect2id/nimbus-jose-jwt
WEBbitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
WEBbitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested