Skip to main content

CVE-2025-53864: CWE-674 Uncontrolled Recursion in Connect2id Nimbus JOSE+JWT

Medium
VulnerabilityCVE-2025-53864cvecve-2025-53864cwe-674
Published: Fri Jul 11 2025 (07/11/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: Connect2id
Product: Nimbus JOSE+JWT

Description

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

AI-Powered Analysis

AILast updated: 07/11/2025, 03:01:26 UTC

Technical Analysis

CVE-2025-53864 is a vulnerability identified in the Connect2id Nimbus JOSE+JWT library versions prior to 10.0.2. This library is widely used for processing JSON Web Tokens (JWTs), which are a standard for securely transmitting information between parties as a JSON object. The vulnerability arises due to uncontrolled recursion when parsing deeply nested JSON objects within a JWT claim set. Specifically, the library does not impose limits on the depth of JSON object nesting, which can be exploited by an attacker to craft a JWT with excessively deep nested JSON structures. When the vulnerable library attempts to parse such a token, it triggers uncontrolled recursive calls that can exhaust the stack or system resources, leading to a denial of service (DoS). This issue is independent of any limitations or protections that might be present in the underlying Gson JSON parser (version 2.11.0 or otherwise), as the Connect2id library itself fails to enforce nesting depth checks. The vulnerability has a CVSS 3.1 base score of 5.8 (medium severity), with an attack vector of network (remote attacker), low attack complexity, no privileges or user interaction required, and impacts availability without affecting confidentiality or integrity. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The root cause is classified under CWE-674 (Uncontrolled Recursion), highlighting a failure to control recursive parsing depth in the software.

Potential Impact

For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against systems that utilize the Connect2id Nimbus JOSE+JWT library for JWT processing. Since JWTs are commonly used for authentication and authorization in web applications and APIs, an attacker could disrupt service availability by sending maliciously crafted tokens with deeply nested JSON claims. This could lead to application crashes or resource exhaustion, resulting in downtime or degraded service performance. While the vulnerability does not compromise confidentiality or integrity, the availability impact could affect critical business operations, especially for sectors relying heavily on JWT-based authentication such as financial services, healthcare, and government digital services. Additionally, denial of service conditions could be leveraged as part of a broader attack strategy to distract or disable defenses. The absence of required privileges or user interaction makes exploitation easier for remote attackers, increasing the risk profile for exposed services. Organizations with public-facing APIs or authentication endpoints using vulnerable versions are particularly at risk.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should take the following specific actions: 1) Upgrade the Connect2id Nimbus JOSE+JWT library to version 10.0.2 or later, where the issue has been addressed by enforcing limits on JSON object nesting depth. 2) Implement input validation and sanity checks on JWT claim sets before processing, including limiting the maximum allowed nesting depth of JSON objects to a safe threshold to prevent excessive recursion. 3) Employ runtime resource monitoring and limits (such as stack size and memory usage) for services handling JWTs to detect and mitigate abnormal resource consumption patterns indicative of exploitation attempts. 4) Use Web Application Firewalls (WAFs) or API gateways capable of inspecting JWT payloads and blocking tokens with suspiciously deep or complex JSON structures. 5) Conduct regular security testing, including fuzzing JWT inputs to identify potential parsing issues. 6) Monitor logs and alerts for signs of repeated JWT parsing failures or service crashes that may indicate exploitation attempts. 7) Where possible, implement rate limiting on authentication endpoints to reduce the risk of DoS attacks leveraging this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-07-11T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68707aefa83201eaacab62a2

Added to database: 7/11/2025, 2:46:07 AM

Last enriched: 7/11/2025, 3:01:26 AM

Last updated: 7/11/2025, 4:04:55 AM

Views: 4

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats