com.nimbusds:nimbus-jose-jwt:9.37.3 library in Spring Boot 3.5.x should be updated to at least 10.0.2 to resolve CVE-2025-53864

The library is pulled in transitively via:

org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.5.3
    -> org.springframework.security:spring-security-oauth2-jose:6.5.1
            -> com.nimbusds:nimbus-jose-jwt:9.37.3

It looks like the Spring Security team is fixing this only for Spring Security 7.0.0.

For details, see gh-17542 which updates the dependency for Spring Security 7.0.0‑M1 only.

gh-17525 is also realted to gh-17542

Comment From: wilkinsona

We can't upgrade to a new major version of a dependency in a maintenance (patch) release of Spring Boot. You can override the dependency management to meet your needs but compatibility is not guaranteed. If you need some guarantees of compatibility with spring-security-oauth2-jose, please raise this with the Spring Security team. They may have already tested compatibility with 10.0.x or may be able to do so. They may also be able to reach out to the Nimbus maintainers and request a back port of the CVE fix to a 9.37.x release. IIRC, they've done something similar in the past.

Comment From: abenoit-reeliant

Hello @wilkinsona It seems that the fix was backported in version 9.37.4 through https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch. Does this mean that this version could be included in the next patch release of Spring Boot?

Comment From: wilkinsona

When I wrote my comment above, I had forgotten that we removed our dependency management nimbus-jose-jwt. Following that removal, Boot just uses whatever version Spring Security uses. As and when Spring Security upgrades, Boot will pick that up automatically as part of moving to the latest Spring Security 6.5.x release.

Comment From: abenoit-reeliant

Thanks for the reply @wilkinsona . I can see that someone already mentioned the backport on the Spring Security issue, so I'll follow that there. Have a good day. https://github.com/spring-projects/spring-security/issues/17583#issuecomment-3173365876