[jira] [Created] (HDDS-13527) Upgrade nimbus-jose-jwt to 10.0.2+ due to CVE-2025-53864

Rohit Kumar (Jira) Thu, 31 Jul 2025 01:44:06 -0700

Rohit Kumar created HDDS-13527:
----------------------------------

             Summary: Upgrade nimbus-jose-jwt to 10.0.2+ due to CVE-2025-53864
                 Key: HDDS-13527
                 URL: https://issues.apache.org/jira/browse/HDDS-13527
             Project: Apache Ozone
          Issue Type: Task
            Reporter: Rohit Kumar



CVE-2025-53864: 

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a 
denial of service via a deeply nested JSON object supplied in a JWT claim set, 
because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 
issue because the Connect2id product could have checked the JSON object nesting 
depth, regardless of what limits (if any) were imposed by Gson.

Severity: 6.9 (medium)

[https://nvd.nist.gov/vuln/detail/CVE-2025-53864] 
[https://security.snyk.io/vuln/SNYK-JAVA-COMNIMBUSDS-10691768] 
[https://github.com/advisories/GHSA-xwmg-2g98-w7v9] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (HDDS-13527) Upgrade nimbus-jose-jwt to 10.0.2+ due to CVE-2025-53864

Reply via email to