Spring Security Back‑port CVE‑2025‑53864 fix (nimbus‑jose‑jwt) to Spring Security 6.5.x

spring-security-oauth2-jose 6.5.1 depends on com.nimbusds:nimbus-jose-jwt 9.37.3, which is vulnerable to CVE-2025-53864 (uncontrolled recursion -> DoS).

The fix is available in Nimbus 10.0.2+, but the 6.5.x line still ships 9.37.3.

org.springframework.security:spring-security-oauth2-jose:6.5.1
    -> com.nimbusds:nimbus-jose-jwt:9.37.3   <- vulnerable

Request

Could the Spring Security team please:

• Ask the Nimbus maintainers to back‑port the fix to a 9.37.x release, so that the 6.5.x maintenance branch can move to a safe version without breaking compatibility? (A similar outreach was done before—see spring‑boot #46478.)

Background / references

• CVE: https://access.redhat.com/security/cve/CVE-2025-53864
• Fix on the main branch: spring‑security #17542
• Related discussion: #17525

Comment From: markuskiss

Thanks @uweguenther, I created an issue for that in the Nimbus JOSE JWT Repository: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch

Note: This is not an official request from the Spring Security team as I'm no Spring Security committer.

Comment From: jzheaux

Thanks for reaching out, @uweguenther, I agree this is important. Thank you @markuskiss for reaching out to the Nimbus team. As they are the best place to coordinate those kinds of things, I'll close this ticket and encourage folks to continue the conversation over there.