CVE-2025-53864
📋 TL;DR
This vulnerability allows remote attackers to cause denial of service in Connect2id Nimbus JOSE + JWT libraries by sending JWTs with deeply nested JSON objects, triggering uncontrolled recursion and StackOverflowError. It affects applications using vulnerable versions of these libraries for JWT processing. The issue is independent of underlying JSON parser limitations.
💻 Affected Systems
- Connect2id Nimbus JOSE + JWT
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to application crashes from StackOverflowError, requiring manual restart and potentially causing extended downtime.
Likely Case
Intermittent service disruptions when malicious JWTs are processed, leading to degraded performance and potential availability issues.
If Mitigated
Minimal impact with proper input validation and depth limits in place, though some performance degradation may occur.
🎯 Exploit Status
Exploitation requires sending a specially crafted JWT with deeply nested JSON structures, which is straightforward to create.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.2 or 9.37.4
Vendor Advisory: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
Restart Required: Yes
Instructions:
1. Update dependency to nimbus-jose-jwt version 10.0.2 or 9.37.4. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Input validation filter
allImplement middleware to reject JWTs with excessive nesting before reaching vulnerable library
Rate limiting
allImplement rate limiting on JWT endpoints to reduce impact of DoS attempts
🧯 If You Can't Patch
- Implement WAF rules to block JWTs with deeply nested JSON structures
- Monitor application logs for StackOverflowError exceptions and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check project dependencies for nimbus-jose-jwt version 10.0.0-10.0.1 or 9.37.0-9.37.3Check Version:
mvn dependency:tree | grep nimbus-jose-jwt OR gradle dependencies | grep nimbus-jose-jwtVerify Fix Applied:
Verify nimbus-jose-jwt version is 10.0.2 or 9.37.4 in dependencies📡 Detection & Monitoring
Log Indicators:
- StackOverflowError in application logs
- JWT processing failures
- Increased error rates on authentication endpoints
Network Indicators:
- Unusually large JWT payloads
- Multiple authentication requests with similar payloads
SIEM Query:
source="application.logs" AND ("StackOverflowError" OR "nimbus.jose" AND "error")🔗 References
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
- https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b
- https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested
