CVE-2025-53864 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object…
Medium CVSS: 5.8

CVE-2025-53864

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
Vendor
-
Product
-
CWE
CWE-674
Yayın Tarihi
2025-07-11 03:16:03
Güncelleme
2025-09-23 19:15:39
Source Identifier
cve@mitre.org
KEV Date Added
-

Kategoriler

CWE-674 MEDIUM 2025

Referanslar

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0 https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested