CVE-2025-53864

ADVISORY - github

Summary

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

EPSS Score⁠: 0.00057 (0.178)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-674⁠

Uncontrolled Recursion

ADVISORY - github

CWE-674⁠

Uncontrolled Recursion

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-674⁠

Uncontrolled Recursion

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-674⁠

Uncontrolled Recursion

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.