Upgrade com.nimbusds:nimbus-jose-jwt to ≥ 10.0.2 in Spring Boot 3.5.x to fix CVE‑2025‑53864

[uweguenther]

com.nimbusds:nimbus-jose-jwt:9.37.3 library in Spring Boot 3.5.x should be updated to at least 10.0.2 to resolve CVE-2025-53864

The library is pulled in transitively via:

org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.5.3
    -> org.springframework.security:spring-security-oauth2-jose:6.5.1
            -> com.nimbusds:nimbus-jose-jwt:9.37.3

It looks like the Spring Security team is fixing this only for Spring Security 7.0.0.

For details, see gh-17542 which updates the dependency for Spring Security 7.0.0‑M1 only.

gh-17525 is also realted to gh-17542

[wilkinsona]

We can't upgrade to a new major version of a dependency in a maintenance (patch) release of Spring Boot. You can override the dependency management to meet your needs but compatibility is not guaranteed. If you need some guarantees of compatibility with spring-security-oauth2-jose, please raise this with the Spring Security team. They may have already tested compatibility with 10.0.x or may be able to do so. They may also be able to reach out to the Nimbus maintainers and request a back port of the CVE fix to a 9.37.x release. IIRC, they've done something similar in the past.