Vulnerable Library - msal4j-1.17.2.jar
Path to dependency file: /openmetadata-clients/openmetadata-java-client/pom.xml
Path to vulnerable library: /openmetadata-clients/openmetadata-java-client/pom.xml
Found in HEAD commit: 9d91325af8d6b6836292c4bb0ba361ab2cdf10e0
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (msal4j version) |
Remediation Possible** |
| CVE-2025-53864 |
 Medium |
5.8 |
nimbus-jose-jwt-9.40.jar |
Transitive |
1.22.0 |
✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-53864
Vulnerable Library - nimbus-jose-jwt-9.40.jar
Java library for Javascript Object Signing and Encryption (JOSE) and
JSON Web Tokens (JWT)
Library home page: https://connect2id.com
Path to dependency file: /openmetadata-clients/openmetadata-java-client/pom.xml
Path to vulnerable library: /openmetadata-clients/openmetadata-java-client/pom.xml
Dependency Hierarchy:
- msal4j-1.17.2.jar (Root Library)
- oauth2-oidc-sdk-11.18.jar
- ❌ nimbus-jose-jwt-9.40.jar (Vulnerable Library)
Found in HEAD commit: 9d91325af8d6b6836292c4bb0ba361ab2cdf10e0
Found in base branch: main
Vulnerability Details
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
Publish Date: 2025-07-11
URL: CVE-2025-53864
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xwmg-2g98-w7v9
Release Date: 2025-07-11
Fix Resolution (com.nimbusds:nimbus-jose-jwt): 10.0.2
Direct dependency fix Resolution (com.microsoft.azure:msal4j): 1.22.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /openmetadata-clients/openmetadata-java-client/pom.xml
Path to vulnerable library: /openmetadata-clients/openmetadata-java-client/pom.xml
Found in HEAD commit: 9d91325af8d6b6836292c4bb0ba361ab2cdf10e0
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - nimbus-jose-jwt-9.40.jar
Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: https://connect2id.com
Path to dependency file: /openmetadata-clients/openmetadata-java-client/pom.xml
Path to vulnerable library: /openmetadata-clients/openmetadata-java-client/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 9d91325af8d6b6836292c4bb0ba361ab2cdf10e0
Found in base branch: main
Vulnerability Details
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
Publish Date: 2025-07-11
URL: CVE-2025-53864
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xwmg-2g98-w7v9
Release Date: 2025-07-11
Fix Resolution (com.nimbusds:nimbus-jose-jwt): 10.0.2
Direct dependency fix Resolution (com.microsoft.azure:msal4j): 1.22.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules