CVE-2025-53864
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-11

Last updated on: 2025-09-23

Assigner: MITRE

Description
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-11
Last Modified
2025-09-23
Generated
2026-05-07
AI Q&A
2025-07-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53864
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
google gson *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Connect2id Nimbus JOSE + JWT versions before 10.0.2 allows a remote attacker to cause a denial of service by supplying a deeply nested JSON object within a JWT claim set. The issue arises due to uncontrolled recursion when processing the nested JSON, which can exhaust system resources and cause the application to crash or become unresponsive.


How can this vulnerability impact me? :

The impact of this vulnerability is a denial of service (DoS), meaning an attacker can cause the affected application to crash or become unavailable by sending a specially crafted JWT with deeply nested JSON. This can disrupt service availability and affect users relying on the application.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart