CVE-2025-53864 is a medium severity vulnerability identified in the Connect2id Nimbus JOSE+JWT library versions 10.0.x prior to 10.0.2 and 9.37.x prior to 9.37.4. The issue arises from uncontrolled recursion when processing deeply nested JSON objects within JWT claim sets. Specifically, an attacker can craft a JSON Web Token containing a claim with a deeply nested JSON structure that triggers excessive recursive calls during parsing. This uncontrolled recursion can lead to a denial of service (DoS) condition by exhausting stack memory or CPU resources, causing the application or service using the vulnerable library to crash or become unresponsive. The vulnerability is independent of any limits imposed by the underlying Gson JSON parser (version 2.11.0), as the Connect2id product itself lacks checks on the nesting depth of JSON objects. This means that even if Gson imposes some limits, the Connect2id library does not enforce its own safeguards, allowing an attacker to exploit this flaw remotely without authentication or user interaction. The CVSS v3.1 base score is 5.8, reflecting a network attack vector with low complexity, no privileges or user interaction required, and a scope change due to potential impact on availability only (no confidentiality or integrity impact). No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of publication. This vulnerability falls under CWE-674 (Uncontrolled Recursion), highlighting a common programming flaw where recursive calls are not properly bounded, leading to resource exhaustion.

For European organizations, the primary impact of this vulnerability is the risk of denial of service in applications or services that rely on the Connect2id Nimbus JOSE+JWT library for JWT processing. Since JWTs are widely used for authentication and authorization in web applications, APIs, and microservices, exploitation could disrupt critical identity and access management workflows. This could lead to service outages, degraded user experience, and potential operational disruptions, especially in sectors relying heavily on federated identity or OAuth/OIDC protocols. Although the vulnerability does not compromise confidentiality or integrity, the availability impact can be significant in environments where uptime and continuous access are critical, such as financial services, healthcare, government portals, and telecommunications. Additionally, denial of service attacks can be leveraged as part of larger multi-vector attacks or to distract security teams. The lack of required authentication or user interaction means that attackers can exploit this remotely and anonymously, increasing the threat surface. European organizations with public-facing services or APIs that accept JWTs generated or processed by vulnerable versions of Nimbus JOSE+JWT are at risk. The impact is heightened in environments with high transaction volumes or where JWT validation is a frequent operation, as the resource exhaustion can be triggered repeatedly to amplify the denial of service effect.

European organizations should take immediate steps to mitigate this vulnerability beyond generic advice. First, identify all applications and services using the Connect2id Nimbus JOSE+JWT library, focusing on versions prior to 10.0.2 and 9.37.4. Upgrade these to the latest patched versions as soon as they become available from the vendor. If patches are not yet released, implement compensating controls such as input validation to limit the depth of JSON objects within JWT claim sets before processing. This can be done by enforcing strict schema validation or using custom JSON parsers that impose nesting limits. Additionally, deploy Web Application Firewalls (WAFs) or API gateways with rules to detect and block JWTs containing suspiciously deep or complex JSON structures. Monitoring and alerting on unusual JWT payload sizes or parsing errors can help detect exploitation attempts early. Rate limiting JWT validation requests can reduce the risk of resource exhaustion from repeated attacks. Finally, conduct thorough code reviews and security testing on JWT handling components to ensure no other uncontrolled recursion or resource exhaustion vulnerabilities exist. Document and update incident response plans to include scenarios involving JWT-based denial of service attacks.