Uncontrolled Recursion

CVE-2025-53864

Medium

5.8/10

Summary

Connect2id Nimbus JOSE + JWT allows a remote attacker to cause a Denial-of-Service (DoS) via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: This is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson. This issue affects `com.nimbusds:nimbus-jose-jwt` versions 9.24 through 9.37.3, and 9.38 through 10.0.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory
Issue
Issue for 9.x backport fix

Advisory Timeline

Published Jul 11, 2025

Uncontrolled Recursion

CVE-2025-53864

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS