vulnerability

Oracle WebLogic: CVE-2025-53864 : Critical Patch Update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:N/I:N/A:P)	Jul 10, 2025	Jan 23, 2026	Jan 23, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:P)

Published

Jul 10, 2025

Added

Jan 23, 2026

Modified

Jan 23, 2026

Description

Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

Solutions

oracle-weblogic-jan-2026-cpu-12_2_1_4_0oracle-weblogic-jan-2026-cpu-14_1_1_0_0oracle-weblogic-jan-2026-cpu-14_1_2_0_0

References

CVE-2025-53864
https://attackerkb.com/topics/CVE-2025-53864
URL-http://www.oracle.com/security-alerts/cpujan2026.html
URL-https://support.oracle.com/support/?anchorId=&documentId=KA1396&page=sptemplate&sptemplate=km-article

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today