.. _vulnerabilityManagement_securityAdvisory_2025_CVE-2025-53864:

CVE-2025-53864
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2025-07-12

Severity: Medium

CVSS Score:  5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Riferimenti:  

- `https://nvd.nist.gov/vuln/detail/CVE-2025-53864 <https://nvd.nist.gov/vuln/detail/CVE-2025-53864>`_
- `https://ossindex.sonatype.org/vulnerability/CVE-2025-53864 <https://ossindex.sonatype.org/vulnerability/CVE-2025-53864>`_
- `https://github.com/advisories/GHSA-xwmg-2g98-w7v9 <https://github.com/advisories/GHSA-xwmg-2g98-w7v9>`_

Libreria: com.nimbusds:nimbus-jose-jwt < 10.0.2

**Descrizione**

[CVE-2025-53864] CWE-674: Uncontrolled Recursion

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

**GovWay**

Versione affette: 

- 3.3.x: <= 3.3.17
- 3.4.x: nessuna

Risoluzione: 

- 3.3.x: 3.3.18
- 3.4.x: >= 3.4.0