Summary Connect2id Nimbus JOSE + JWT is used by IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) as part of integrating with OpenID Connect providers (OIDC) and is affected by an Uncontrolled Recursion Vulnerability. CVE-2025-53864. Vulnerability Details CVEID:CVE-2025-53864 DESCRIPTION: Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson. CWE:CWE-674: Uncontrolled Recursion CVSS Source: [email protected] CVSS Base score: 5.8 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L) Affected Products and Versions Affected Product(s)| Version(s) —|— UCD – IBM UrbanCode Deploy| 7.1 – 7.1.2.25 UCD – IBM UrbanCode Deploy| 7.2 – 7.2.3.18 UCD – IBM UrbanCode Deploy| 7.3 – 7.3.2.13 UCD – IBM DevOps Deploy| 8.0 – 8.0.1.8 UCD – IBM DevOps Deploy| 8.1 – 8.1.2.1 Remediation/Fixes IBM strongly suggests the following: Upgrade affected versions to any of 7.1.2.26, 7.2.3.19, 7.3.2.14, 8.0.1.9, 8.1.2.2 or later Workarounds and Mitigations…Read More