CVE-2025-53864: CWE-674 Uncontrolled Recursion in Connect2id Nimbus JOSE+JWT
Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
AI Analysis
Technical Summary
CVE-2025-53864 is a vulnerability identified in the Connect2id Nimbus JOSE+JWT library versions prior to 10.0.2. This library is widely used for processing JSON Web Tokens (JWTs), which are a standard for securely transmitting information between parties as a JSON object. The vulnerability arises due to uncontrolled recursion when parsing deeply nested JSON objects within a JWT claim set. Specifically, the library does not impose limits on the depth of JSON object nesting, which can be exploited by an attacker to craft a JWT with excessively deep nested JSON structures. When the vulnerable library attempts to parse such a token, it triggers uncontrolled recursive calls that can exhaust the stack or system resources, leading to a denial of service (DoS). This issue is independent of any limitations or protections that might be present in the underlying Gson JSON parser (version 2.11.0 or otherwise), as the Connect2id library itself fails to enforce nesting depth checks. The vulnerability has a CVSS 3.1 base score of 5.8 (medium severity), with an attack vector of network (remote attacker), low attack complexity, no privileges or user interaction required, and impacts availability without affecting confidentiality or integrity. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The root cause is classified under CWE-674 (Uncontrolled Recursion), highlighting a failure to control recursive parsing depth in the software.
Potential Impact
For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against systems that utilize the Connect2id Nimbus JOSE+JWT library for JWT processing. Since JWTs are commonly used for authentication and authorization in web applications and APIs, an attacker could disrupt service availability by sending maliciously crafted tokens with deeply nested JSON claims. This could lead to application crashes or resource exhaustion, resulting in downtime or degraded service performance. While the vulnerability does not compromise confidentiality or integrity, the availability impact could affect critical business operations, especially for sectors relying heavily on JWT-based authentication such as financial services, healthcare, and government digital services. Additionally, denial of service conditions could be leveraged as part of a broader attack strategy to distract or disable defenses. The absence of required privileges or user interaction makes exploitation easier for remote attackers, increasing the risk profile for exposed services. Organizations with public-facing APIs or authentication endpoints using vulnerable versions are particularly at risk.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should take the following specific actions: 1) Upgrade the Connect2id Nimbus JOSE+JWT library to version 10.0.2 or later, where the issue has been addressed by enforcing limits on JSON object nesting depth. 2) Implement input validation and sanity checks on JWT claim sets before processing, including limiting the maximum allowed nesting depth of JSON objects to a safe threshold to prevent excessive recursion. 3) Employ runtime resource monitoring and limits (such as stack size and memory usage) for services handling JWTs to detect and mitigate abnormal resource consumption patterns indicative of exploitation attempts. 4) Use Web Application Firewalls (WAFs) or API gateways capable of inspecting JWT payloads and blocking tokens with suspiciously deep or complex JSON structures. 5) Conduct regular security testing, including fuzzing JWT inputs to identify potential parsing issues. 6) Monitor logs and alerts for signs of repeated JWT parsing failures or service crashes that may indicate exploitation attempts. 7) Where possible, implement rate limiting on authentication endpoints to reduce the risk of DoS attacks leveraging this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium
CVE-2025-53864: CWE-674 Uncontrolled Recursion in Connect2id Nimbus JOSE+JWT
Description
Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
AI-Powered Analysis
Technical Analysis
CVE-2025-53864 is a vulnerability identified in the Connect2id Nimbus JOSE+JWT library versions prior to 10.0.2. This library is widely used for processing JSON Web Tokens (JWTs), which are a standard for securely transmitting information between parties as a JSON object. The vulnerability arises due to uncontrolled recursion when parsing deeply nested JSON objects within a JWT claim set. Specifically, the library does not impose limits on the depth of JSON object nesting, which can be exploited by an attacker to craft a JWT with excessively deep nested JSON structures. When the vulnerable library attempts to parse such a token, it triggers uncontrolled recursive calls that can exhaust the stack or system resources, leading to a denial of service (DoS). This issue is independent of any limitations or protections that might be present in the underlying Gson JSON parser (version 2.11.0 or otherwise), as the Connect2id library itself fails to enforce nesting depth checks. The vulnerability has a CVSS 3.1 base score of 5.8 (medium severity), with an attack vector of network (remote attacker), low attack complexity, no privileges or user interaction required, and impacts availability without affecting confidentiality or integrity. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The root cause is classified under CWE-674 (Uncontrolled Recursion), highlighting a failure to control recursive parsing depth in the software.
Potential Impact
For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against systems that utilize the Connect2id Nimbus JOSE+JWT library for JWT processing. Since JWTs are commonly used for authentication and authorization in web applications and APIs, an attacker could disrupt service availability by sending maliciously crafted tokens with deeply nested JSON claims. This could lead to application crashes or resource exhaustion, resulting in downtime or degraded service performance. While the vulnerability does not compromise confidentiality or integrity, the availability impact could affect critical business operations, especially for sectors relying heavily on JWT-based authentication such as financial services, healthcare, and government digital services. Additionally, denial of service conditions could be leveraged as part of a broader attack strategy to distract or disable defenses. The absence of required privileges or user interaction makes exploitation easier for remote attackers, increasing the risk profile for exposed services. Organizations with public-facing APIs or authentication endpoints using vulnerable versions are particularly at risk.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should take the following specific actions: 1) Upgrade the Connect2id Nimbus JOSE+JWT library to version 10.0.2 or later, where the issue has been addressed by enforcing limits on JSON object nesting depth. 2) Implement input validation and sanity checks on JWT claim sets before processing, including limiting the maximum allowed nesting depth of JSON objects to a safe threshold to prevent excessive recursion. 3) Employ runtime resource monitoring and limits (such as stack size and memory usage) for services handling JWTs to detect and mitigate abnormal resource consumption patterns indicative of exploitation attempts. 4) Use Web Application Firewalls (WAFs) or API gateways capable of inspecting JWT payloads and blocking tokens with suspiciously deep or complex JSON structures. 5) Conduct regular security testing, including fuzzing JWT inputs to identify potential parsing issues. 6) Monitor logs and alerts for signs of repeated JWT parsing failures or service crashes that may indicate exploitation attempts. 7) Where possible, implement rate limiting on authentication endpoints to reduce the risk of DoS attacks leveraging this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-07-11T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68707aefa83201eaacab62a2
Added to database: 7/11/2025, 2:46:07 AM
Last enriched: 7/11/2025, 3:01:26 AM
Last updated: 7/11/2025, 6:58:32 AM
Views: 5
Related Threats
CVE-2025-50125: CWE-918 Server-Side Request Forgery (SSRF) in Schneider Electric EcoStruxure IT Data Center Expert
MediumCVE-2025-50124: CWE-269 Improper Privilege Management in Schneider Electric EcoStruxure IT Data Center Expert
HighPatch, track, repeat
MediumPre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) - watchTowr Labs
MediumCVE-2025-50123: CWE-94 Improper Control of Generation of Code ('Code Injection') in Schneider Electric EcoStruxure IT Data Center Expert
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.