Spring Security Update to nimbus-jose-jwt:9.37.4

spring-security-oauth2-jose 6.5.3 depends on com.nimbusds:nimbus-jose-jwt 9.37.3, which is vulnerable to CVE-2025-53864 (uncontrolled recursion -> DoS).

The nimbus-jose-jwt project backported the gson upgrade in version 9.37.4, meaning that it is possible to fix this vulnerability in Spring Security 6.5.x.

Please could you release Spring Security with that dependency upgraded to remove this CVE?

Thank you

Comment From: florianberthe

See latest comments on: https://github.com/spring-projects/spring-security/issues/17583 https://github.com/spring-projects/spring-security/issues/17542

Comment From: florianberthe

Thank you @jgrandja

Comment From: jgrandja

@florianberthe This is now updated in 6.4.x and 6.5.x - just in time for the releases today.