Back‑port CVE‑2025‑53864 fix (nimbus‑jose‑jwt) to Spring Security 6.5.x

[uweguenther]

spring-security-oauth2-jose 6.5.1 depends on com.nimbusds:nimbus-jose-jwt 9.37.3, which is vulnerable to CVE-2025-53864 (uncontrolled recursion -> DoS).

The fix is available in Nimbus 10.0.2+, but the 6.5.x line still ships 9.37.3.

org.springframework.security:spring-security-oauth2-jose:6.5.1
    -> com.nimbusds:nimbus-jose-jwt:9.37.3   <- vulnerable

Request

Could the Spring Security team please:

• Ask the Nimbus maintainers to back‑port the fix to a 9.37.x release, so that the 6.5.x maintenance branch can move to a safe version without breaking compatibility?
  (A similar outreach was done before—see spring‑boot #46478.)

Background / references

• CVE: https://access.redhat.com/security/cve/CVE-2025-53864
• Fix on the main branch: spring‑security #17542
• Related discussion: #17525

[markuskiss]

Thanks @uweguenther, I created an issue for that in the Nimbus JOSE JWT Repository: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch

Note: This is not an official request from the Spring Security team as I'm no Spring Security committer.

[jzheaux]

Thanks for reaching out, @uweguenther, I agree this is important. Thank you @markuskiss for reaching out to the Nimbus team. As they are the best place to coordinate those kinds of things, I'll close this ticket and encourage folks to continue the conversation over there.

[jesperronn]

I am aware this issue was closed, but please note that 3 days ago the security fix backport v9.37.4 was pushed to Maven Central

Links

• https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch#comment-68798283
• https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.37.4

@jzheaux @markuskiss @uweguenther I cannot find any PRs/branches/issues that tracks that release. Not familiar to the usual processes in Spring Security project, I will leave it to you to consider if this issue should reopen and track the change or something else.

[filiphr]

I tried to create a PR with the upgraded dependency. However, the Spring Security has an explicit check to validate that the version in the oauth2-oidc-sdk is the same as the one used in the project. So when I upgrade there is a failure that looks like:

* What went wrong:
Execution failed for task ':verifyDependenciesVersions'.
> Found transitive nimbus-jose-jwt:9.37.3 in oauth2-oidc-sdk:9.43.6, but the project contains a different version of nimbus-jose-jwt [9.37.4]. Please align the versions.

The Spring Security Team will need to handle this somehow. Perhaps we need to the Nimbus team to also provide an upgrade for oauth2-oidc-sdk with an updated nimbus-jose-jwt dependency.

[gonmmarques]

Hello @jzheaux ,

Sorry for the ping but given the comment below

I am aware this issue was closed, but please note that 3 days ago the security fix backport v9.37.4 was pushed to Maven Central

Links

• https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch#comment-68798283
• https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.37.4

@jzheaux @markuskiss @uweguenther I cannot find any PRs/branches/issues that tracks that release. Not familiar to the usual processes in Spring Security project, I will leave it to you to consider if this issue should reopen and track the change or something else.

Will this fix of the nimbus-jose-jwt will be ported to Spring Security 6.5.x?

Thanks in advance

[sebastian89n]

Hi, can this issue be re-opened? Nimbus-jose has been patched with a fix.

It would be really great you could release Spring Security with that dependency upgraded to remove this CVE.

@jzheaux