Update nimbus-jose-jwt

[florianberthe]

spring-authorization-server  v1.5.2 depends on com.nimbusds:nimbus-jose-jwt  v9.47, which is vulnerable to CVE-2025-53864 (uncontrolled recursion -> DoS).

Sources :

• GHSA-xwmg-2g98-w7v9
• https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt/9.47

The nimbus-jose-jwt project backported the gson upgrade in version 9.37.4 and this new release was bumped into spring security bom. Unfortunately, Spring Authorization Server don't use the release from Spring Security Bom.

How to fix this CVE in my project using latest release ?

• Should I request the nimbus-jose-jwt project to backport the fix also in v9.47 ?
• Is forcing the downgrade to v9.37.4 possible ?
• Any other idea ?

Thank you

[jgrandja]

@florianberthe

Is forcing the downgrade to v9.37.4 possible ?

We cannot downgrade a dependency in a patch version.

Should I request the nimbus-jose-jwt project to backport the fix also in v9.47 ?

This would be the best option. See similar request.

[florianberthe]

@florianberthe

Is forcing the downgrade to v9.37.4 possible ?

We cannot downgrade a dependency in a patch version.

Should I request the nimbus-jose-jwt project to backport the fix also in v9.47 ?

This would be the best option. See similar request.

@jgrandja
I created a ticket for a new backport : https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/602/back-port-cve-2025-53864-fix-to-a-new-947x. I hope it will be possible !

[florianberthe]

Hi @jgrandja , there is no update for the moment.
I'm thinking about a workaround. Why the version from authorization-server is different from the one used in Spring Security ? Do you think it is possible to downgrade to v9.37.4 in a third project ? Thank you.

[jgrandja]

@florianberthe

Why the version from authorization-server is different from the one used in Spring Security

We always upgrade to the latest version of dependencies in the latest version of code. Spring Security has the latest version of authorization-server.

Do you think it is possible to downgrade to v9.37.4 in a third project

I don't understand what you mean by 3rd project?

[florianberthe]

@florianberthe

Why the version from authorization-server is different from the one used in Spring Security

We always upgrade to the latest version of dependencies in the latest version of code. Spring Security has the latest version of authorization-server.

Regarding nimbus-jose-jwt, I checked versions in
https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-authorization-server/1.5.2 => 9.47.0
https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-jose/6.5.5 => 9.37.4
I wonder why there are not aligned.

Do you think it is possible to downgrade to v9.37.4 in a third project

I don't understand what you mean by 3rd project?

Sorry I wasn't clear. I mean a project using authorization-server as dependency.

Thank you

[jgrandja]

@florianberthe

I wonder why there are not aligned.

Spring Authorization Server only depends on nimbus-jose-jwt, whereas Spring Security depends on nimbus-jose-jwt AND oauth2-oidc-sdk. There were issues in the oauth2-oidc-sdk library where a dependency was downgraded unexpectedly which caused issues on our end so we had to remain on an older version of oauth2-oidc-sdk and nimbus-jose-jwt.

Since Spring Authorization Server only depends on nimbus-jose-jwt, it kept up to the latest version.

Sorry I wasn't clear. I mean a project using authorization-server as dependency.

You can certainly try to downgrade in your project and I'm fairly confident it will still work but I cannot guarantee it. You'll just have to try it and ensure things are working as expected.

[florianberthe]

I understand better now ! I will try a downgrade and keep you aware knowing I only needs client_credentials flow working.

[florianberthe]

Downgrading to v9.37.4 doesn't cause problems regarding my usage. This si comforting.