spring-security-oauth2-jose 6.5.1 depends on com.nimbusds:nimbus-jose-jwt 9.37.3, which is vulnerable to CVE-2025-53864 (uncontrolled recursion -> DoS).
The fix is available in Nimbus 10.0.2+, but the 6.5.x line still ships 9.37.3.
org.springframework.security:spring-security-oauth2-jose:6.5.1
-> com.nimbusds:nimbus-jose-jwt:9.37.3 <- vulnerable
Request
Could the Spring Security team please:
- Ask the Nimbus maintainers to back‑port the fix to a 9.37.x release, so that the 6.5.x maintenance branch can move to a safe version without breaking compatibility? (A similar outreach was done before—see spring‑boot #46478.)
Background / references
- CVE: https://access.redhat.com/security/cve/CVE-2025-53864
- Fix on the main branch: spring‑security #17542
- Related discussion: #17525
Comment From: markuskiss
Thanks @uweguenther, I created an issue for that in the Nimbus JOSE JWT Repository: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
Note: This is not an official request from the Spring Security team as I'm no Spring Security committer.
Comment From: jzheaux
Thanks for reaching out, @uweguenther, I agree this is important. Thank you @markuskiss for reaching out to the Nimbus team. As they are the best place to coordinate those kinds of things, I'll close this ticket and encourage folks to continue the conversation over there.
Comment From: jesperronn
I am aware this issue was closed, but please note that 3 days ago the security fix backport v9.37.4 was pushed to Maven Central
Links
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch#comment-68798283
- https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.37.4
@jzheaux @markuskiss @uweguenther I cannot find any PRs/branches/issues that tracks that release. Not familiar to the usual processes in Spring Security project, I will leave it to you to consider if this issue should reopen and track the change or something else.
Comment From: filiphr
I tried to create a PR with the upgraded dependency. However, the Spring Security has an explicit check to validate that the version in the oauth2-oidc-sdk is the same as the one used in the project. So when I upgrade there is a failure that looks like:
* What went wrong:
Execution failed for task ':verifyDependenciesVersions'.
> Found transitive nimbus-jose-jwt:9.37.3 in oauth2-oidc-sdk:9.43.6, but the project contains a different version of nimbus-jose-jwt [9.37.4]. Please align the versions.
The Spring Security Team will need to handle this somehow. Perhaps we need to the Nimbus team to also provide an upgrade for oauth2-oidc-sdk with an updated nimbus-jose-jwt dependency.
Comment From: gonmmarques
Hello @jzheaux ,
Sorry for the ping but given the comment below
I am aware this issue was closed, but please note that 3 days ago the security fix backport v9.37.4 was pushed to Maven Central
Links
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch#comment-68798283
- https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.37.4
@jzheaux @markuskiss @uweguenther I cannot find any PRs/branches/issues that tracks that release. Not familiar to the usual processes in Spring Security project, I will leave it to you to consider if this issue should reopen and track the change or something else.
Will this fix of the nimbus-jose-jwt will be ported to Spring Security 6.5.x?
Thanks in advance
Comment From: sebastian89n
Hi, can this issue be re-opened? Nimbus-jose has been patched with a fix.
It would be really great you could release Spring Security with that dependency upgraded to remove this CVE.
@jzheaux
Comment From: jgrandja
See latest update spring-security#17875