SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-53864

CVE-2025-53864: Nimbus JOSE + JWT DoS Vulnerability

CVE-2025-53864 is a denial of service vulnerability in Connect2id Nimbus JOSE + JWT caused by uncontrolled recursion in deeply nested JSON objects. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-53864 Overview

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. This issue is independent of the Gson 2.11.0 problem, as the Connect2id product could have independently enforced limits on JSON object nesting depth, regardless of Gson's constraints.

Critical Impact

The flaw allows a remote attacker to initiate a denial-of-service (DoS) condition through crafted JSON payloads, which can exhaust application resources by triggering uncontrolled recursion.

Affected Products

  • Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2
  • Connect2id Nimbus JOSE + JWT 9.37.x before 9.37.4
  • Not Available

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Not Available
  • Not Available - CVE CVE-2025-53864 assigned
  • Not Available - Not Available releases security patch
  • 2025-07-11 - CVE CVE-2025-53864 published to NVD
  • 2025-09-23 - Last updated in NVD database

Technical Details for CVE-2025-53864

Vulnerability Analysis

The vulnerability arises from the misuse of recursive processing of JSON objects within the JWT claim set. An attacker can craft a JWT with deeply nested JSON objects, causing a stack overflow due to uncontrolled recursion, leading to a denial-of-service condition.

Root Cause

The root cause is the absence of constraints on JSON parsing depth, which fails to prevent stack overflow errors during recursive deserialization operations.

Attack Vector

The attack vector is network-based, leveraging crafted JWTs sent to an affected application endpoint that processes JWTs without adequate parsing depth checks.

java
// Example exploitation code (sanitized)
String payload = "{"repeat":"" + repeat("{\"key\":", depth) + "\"value\"" + repeat("}", depth);
JWT jwt = new JWT(payload);

Detection Methods for CVE-2025-53864

Indicators of Compromise

  • Unusual increase in system resource usage
  • Application logs indicating stack overflow errors
  • Frequent server restarts due to exhaustion

Detection Strategies

Monitor application logs for stack overflow exceptions or recursion depth exceeded errors. Use anomaly detection systems to flag abnormal memory usage patterns.

Monitoring Recommendations

Set up alerts for excessive CPU and memory usage. Integrate with SIEM tools to correlate these events with incoming JWT traffic volume.

How to Mitigate CVE-2025-53864

Immediate Actions Required

  • Upgrade to Connect2id Nimbus JOSE + JWT versions 10.0.2 or 9.37.4
  • Implement JSON parsing depth limits in your JWT processing code
  • Utilize cloud-based WAFs to filter malformed JWTs

Patch Information

Refer to the Bitbucket commit for patch details applicable to affected software versions.

Workarounds

Until patching is possible, consider parsing JWT claims in a sandboxed environment or utilize a JSON library that strictly enforces recursion limits.

bash
# Configuration example for limiting JSON depth in parsing
export MAX_JSON_DEPTH=10

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne