Skip to content

spring-boot-starter-oauth2-client-3.5.3.jar: 1 vulnerabilities (highest severity is: 5.8) #595

New issue
New issue
Open
Open
spring-boot-starter-oauth2-client-3.5.3.jar: 1 vulnerabilities (highest severity is: 5.8)#595
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jul 19, 2025
Vulnerable Library - spring-boot-starter-oauth2-client-3.5.3.jar

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.3/700f71ffefd60c16bd8ce711a956967ea9071cec/nimbus-jose-jwt-9.37.3.jar

Found in HEAD commit: ecf4b5d1aaf3551c1bcdfd8225b12109647b5f63

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-boot-starter-oauth2-client version) Remediation Possible**
CVE-2025-53864 Medium 5.8 nimbus-jose-jwt-9.37.3.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-53864

Vulnerable Library - nimbus-jose-jwt-9.37.3.jar

Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)

Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.3/700f71ffefd60c16bd8ce711a956967ea9071cec/nimbus-jose-jwt-9.37.3.jar

Dependency Hierarchy:

  • spring-boot-starter-oauth2-client-3.5.3.jar (Root Library)
    • spring-security-oauth2-client-6.5.1.jar
      • oauth2-oidc-sdk-9.43.6.jar
        • nimbus-jose-jwt-9.37.3.jar (Vulnerable Library)

Found in HEAD commit: ecf4b5d1aaf3551c1bcdfd8225b12109647b5f63

Found in base branch: develop

Vulnerability Details

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Publish Date: 2025-07-11

URL: CVE-2025-53864

CVSS 3 Score Details (5.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions