com.nimbusds:nimbus-jose-jwt (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package com.nimbusds:nimbus-jose-jwt, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (6)
CVE-2019-17195 — CVSS 9.8 (critical): Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application…
CVE-2017-12972 — CVSS 7.5 (high): In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers…
CVE-2017-12974 — CVSS 7.5 (high): Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified…
CVE-2023-52428 — CVSS 7.5 (high): In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header…
CVE-2025-53864 — CVSS 5.8 (medium): Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a…
CVE-2017-12973 — CVSS 3.1 (low): Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows…