From 8143cb2a6a5e5fe6c1e03669afbbab4d896cd67f Mon Sep 17 00:00:00 2001
From: Claude <claudius@vdmza.com>
Date: Tue, 14 Apr 2026 09:32:28 -0400
Subject: [PATCH] Pin numbus-jose-jwt to 9.37.4

---
 sdks/java/io/expansion-service/build.gradle | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdks/java/io/expansion-service/build.gradle b/sdks/java/io/expansion-service/build.gradle
index b12e48207265..c53db07a7e28 100644
--- a/sdks/java/io/expansion-service/build.gradle
+++ b/sdks/java/io/expansion-service/build.gradle
@@ -56,6 +56,9 @@ configurations.runtimeClasspath {
 
   // Pin zookeeper to 3.8.6 to fix CVE in transitive 3.8.4 from hadoop/hbase
   resolutionStrategy.force 'org.apache.zookeeper:zookeeper:3.8.6'
+
+  // Pin nimbus-jose-jwt to 9.37.4 to fix CVE-2025-53864 (transitive via hadoop-auth)
+  resolutionStrategy.force 'com.nimbusds:nimbus-jose-jwt:9.37.4'
 }
 
 shadowJar {