CVE-2025-53864

Medienbericht

EPSS 0.05%
Veröffentlicht 11.07.2025 00:00:00
Zuletzt bearbeitet 23.09.2025 19:15:39
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerConnect2id

≫

Produkt Nimbus JOSE+JWT

Default Statusunaffected

Version < 10.0.2

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.154

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	5.8	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://www.heise.de/news/IBM-App-Connect-Enterprise-Toolkit-kann-Daten-leaken-10685850.html

Medienbericht

heise Security

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested

https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0

https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch

https://nvd.nist.gov/vuln/detail/CVE-2025-53864

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53864

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53864

EUVD