Spring Security Upgrade nimbus-jose-jwt to 10.0.2

Hi can the nimbus-jose-jwt library be updated to 10.0.2 to resolve https://access.redhat.com/security/cve/CVE-2025-53864

Comment From: snieguu

I will add additional context here. As mentioned above, we should update to at least version 10.0.2. See: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/parsing-must-reject-deeply-nested-json

The vulnerability lies within Gson. However, it's not possible to simply force a specific Gson version because it is shaded into nimbus-jose-jwt.

I am currently checking (in my project) the possibility of forcing an updated version of nimbus-jose-jwt.

Related/Similar issues: https://github.com/spring-projects/spring-security/issues/13843 https://github.com/spring-projects/spring-security/issues/14245 https://github.com/spring-projects/spring-security/issues/15951