Nimbus JOSE+JWT Library Exposed to DoS via Deeply Nested JSON in JWT Claims (CVE-2025-53864)

A critical vulnerability in the widely used Connect2id Nimbus JOSE+JWT library exposes systems to denial-of-service attacks through a simple, maliciously crafted JWT. The flaw, tracked as CVE-2025-53864, resides in the library's failure to enforce depth limits on nested JSON objects within JWT claim sets. An attacker can trigger uncontrolled recursion by submitting a JWT with a deeply nested structure, potentially crashing the application and disrupting service. This vulnerability is independent of similar issues in underlying JSON parsers like Gson, placing the responsibility squarely on the library's own input validation.

The security patch is contained in version 9.37.4 of the `com.nimbusds:nimbus-jose-jwt` dependency. The update moves from version 9.37.2, a minor version bump that masks a significant security fix. The vulnerability affects all versions prior to 10.0.2, indicating a long-standing oversight in the library's parsing logic. The automated pull request from RenovateBot highlights the immediate need for integration teams to review and merge this update, as the library is a foundational component for JWT-based authentication and authorization in countless Java applications.

This flaw presents a direct operational risk to any service relying on Nimbus for JWT processing. The attack vector is low-complexity and does not require authentication, making it an attractive target for disruption. Organizations must prioritize this update to mitigate the risk of service outages. The incident underscores the persistent security challenges in foundational cryptographic libraries and the critical importance of automated dependency monitoring in the software supply chain.