CVE-2025-53864 is a vulnerability identified in the Connect2id Nimbus JOSE+JWT library versions prior to 10.0.2. This library is widely used for processing JSON Web Tokens (JWTs), which are a standard for securely transmitting information between parties as a JSON object. The vulnerability arises due to uncontrolled recursion when parsing deeply nested JSON objects within a JWT claim set. Specifically, the library does not impose limits on the depth of JSON object nesting, which can be exploited by an attacker to craft a JWT with excessively deep nested JSON structures. When the vulnerable library attempts to parse such a token, it triggers uncontrolled recursive calls that can exhaust the stack or system resources, leading to a denial of service (DoS). This issue is independent of any limitations or protections that might be present in the underlying Gson JSON parser (version 2.11.0 or otherwise), as the Connect2id library itself fails to enforce nesting depth checks. The vulnerability has a CVSS 3.1 base score of 5.8 (medium severity), with an attack vector of network (remote attacker), low attack complexity, no privileges or user interaction required, and impacts availability without affecting confidentiality or integrity. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The root cause is classified under CWE-674 (Uncontrolled Recursion), highlighting a failure to control recursive parsing depth in the software.

For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against systems that utilize the Connect2id Nimbus JOSE+JWT library for JWT processing. Since JWTs are commonly used for authentication and authorization in web applications and APIs, an attacker could disrupt service availability by sending maliciously crafted tokens with deeply nested JSON claims. This could lead to application crashes or resource exhaustion, resulting in downtime or degraded service performance. While the vulnerability does not compromise confidentiality or integrity, the availability impact could affect critical business operations, especially for sectors relying heavily on JWT-based authentication such as financial services, healthcare, and government digital services. Additionally, denial of service conditions could be leveraged as part of a broader attack strategy to distract or disable defenses. The absence of required privileges or user interaction makes exploitation easier for remote attackers, increasing the risk profile for exposed services. Organizations with public-facing APIs or authentication endpoints using vulnerable versions are particularly at risk.

To mitigate this vulnerability, European organizations should take the following specific actions: 1) Upgrade the Connect2id Nimbus JOSE+JWT library to version 10.0.2 or later, where the issue has been addressed by enforcing limits on JSON object nesting depth. 2) Implement input validation and sanity checks on JWT claim sets before processing, including limiting the maximum allowed nesting depth of JSON objects to a safe threshold to prevent excessive recursion. 3) Employ runtime resource monitoring and limits (such as stack size and memory usage) for services handling JWTs to detect and mitigate abnormal resource consumption patterns indicative of exploitation attempts. 4) Use Web Application Firewalls (WAFs) or API gateways capable of inspecting JWT payloads and blocking tokens with suspiciously deep or complex JSON structures. 5) Conduct regular security testing, including fuzzing JWT inputs to identify potential parsing issues. 6) Monitor logs and alerts for signs of repeated JWT parsing failures or service crashes that may indicate exploitation attempts. 7) Where possible, implement rate limiting on authentication endpoints to reduce the risk of DoS attacks leveraging this vulnerability.