[
https://issues.apache.org/jira/browse/HADOOP-19687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020889#comment-18020889
]
ASF GitHub Bot commented on HADOOP-19687:
-----------------------------------------
pjfanning commented on PR #7965:
URL: https://github.com/apache/hadoop/pull/7965#issuecomment-3302343034
Could you change the name of the PR and the git commit to use
[HADOOP-19632](https://issues.apache.org/jira/browse/HADOOP-19632)?
> Upgrade nimbus-jose-jwt to 10.0.2+ due to CVE-2025-53864
> --------------------------------------------------------
>
> Key: HADOOP-19687
> URL: https://issues.apache.org/jira/browse/HADOOP-19687
> Project: Hadoop Common
> Issue Type: Task
> Reporter: Rohit Kumar
> Priority: Major
> Labels: pull-request-available
>
> *CVE-2025-53864:*
> Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause
> a denial of service via a deeply nested JSON object supplied in a JWT claim
> set, because of uncontrolled recursion. NOTE: this is independent of the Gson
> 2.11.0 issue because the Connect2id product could have checked the JSON
> object nesting depth, regardless of what limits (if any) were imposed by Gson.
> Severity: 6.9 (medium)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
