[GHSA-xwmg-2g98-w7v9] Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON

[andy-may-at]

Updates

• Affected products

Comments
The fix for this originally done in 10.0.2 (https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested)
was backported to the 9.x branch in 9.37.4 (while I believe there was an rc build of 9.38-rc1 in existence.
the final build of 9.38 included the fix.

The existing affected-versions config is incorrectly flagging 9.47 as vulnerable.

[Copilot]

Pull request overview

Updates the GHSA advisory metadata for Nimbus JOSE + JWT (CVE-2025-53864) to correct the affected-version ranges so fixed 9.x releases (e.g., 9.47) are no longer flagged as vulnerable.

Changes:

• Refines Maven affected ranges to reflect fixes in 9.37.4 (9.x) and 10.0.2 (10.x), and to cap the 9.38-rc1 range at 9.38.
• Updates the advisory modified timestamp.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The details field still states the package is affected "before 10.0.2", which can be read as including all 9.x releases (e.g., 9.47) even though the updated affected ranges now indicate 9.x is fixed as of 9.37.4 (and 9.38 fixes the RC range). Consider updating details to explicitly mention the fixed versions per major line (9.37.4 / 9.38 and 10.0.2) so the narrative matches the corrected version ranges.

[andy-may-at]

I agree with Copilot's suggestion, but can't edit the branch in place, so I'll close this PR & open a new one with the details updated.

[andy-may-at]

I can't edit the branch, but want to make a change, so I'll close this PR & raise a new one with better details.

[andy-may-at]

After digging through the nimbus-jose-jwt code, I can see that I was wrong & the current affected-versions is correct.

(I was confused by the affected library's issue tracker referring to a fix being made on the 9.x branch, when in fact only the 9.37.x branch was fixed (9.38->9.48 left unfixed)