Connect2id Nimbus JOSE+JWT <=10.0.1 DoS via uncontrolled recursion
CVE-2025-53864 Published on July 11, 2025
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
Weakness Type
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2025-53864 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2025-53864
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-53864 are published in these products:
Affected Versions
Connect2id Nimbus JOSE+JWT:- Before 10.0.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.