[GHSA-xwmg-2g98-w7v9] Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON #5983
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates a GitHub security advisory (GHSA-xwmg-2g98-w7v9) for the Nimbus JOSE + JWT library to reflect that a CVE-2025-53864 fix was backported to the 9.37.x branch while other 9.x versions remain vulnerable.
- Updates the modified timestamp to reflect the latest changes
- Adds vulnerability information for the 9.37.x branch with fix version 9.37.4
- Adds an open-ended vulnerable range starting from version 9.38.0
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "9.38.0" |
There was a problem hiding this comment.
The vulnerable range starting from 9.38.0 is missing an upper bound or 'fixed' event. This creates an open-ended vulnerability range that should either include a 'fixed' version or explicitly indicate if no fix is available yet.
| "introduced": "9.38.0" | |
| "introduced": "9.38.0" | |
| }, | |
| { | |
| "fixed": "10.0.2" |
Copilot uses AI. Check for mistakes.
8bf8ab9
into
phrabec/advisory-improvement-5983
|
Hi @phrabec! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
The fix was backported to 9.37.x branch but other versions in 9.x series remain vulnerable.
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c