Skip to content

[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and CVE-2025-53864 #24937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 5 commits into from
Nov 4, 2025
Merged

[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and CVE-2025-53864 #24937

lhotari merged 5 commits into from
Nov 4, 2025

Conversation

@guptas6est
Copy link
Contributor

@guptas6est guptas6est commented Nov 3, 2025

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

This PR addresses two vulnerabilities affecting the transitive dependency com.nimbusds:nimbus-jose-jwt used across multiple Pulsar modules.

Vulnerabilities remediated:

  • CVE-2023-52428 (HIGH) – Large JWE p2c header value causes a Denial of Service.
  • CVE-2025-53864 (MEDIUM) – Uncontrolled recursion in Connect2id Nimbus JOSE + JWT may lead to stack exhaustion.

Modifications

Explicitly added the com.nimbusds:nimbus-jose-jwt dependency under dependencyManagement in the parent pom.xml to enforce a safe and fixed version (9.37.4) across all transitive usages.

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 3, 2025
lhotari
lhotari reviewed Nov 3, 2025
View reviewed changes
lhotari
lhotari reviewed Nov 3, 2025
View reviewed changes
@lhotari
Copy link
Member

lhotari commented Nov 4, 2025

/pulsarbot rerun-failure-checks

@codecov-commenter
Copy link

codecov-commenter commented Nov 4, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.22%. Comparing base (fefe771) to head (a30ef08).

Additional details and impacted files

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #24937       +/-   ##
=============================================
+ Coverage     38.46%   74.22%   +35.75%     
- Complexity    13239    33508    +20269     
=============================================
  Files          1856     1913       +57     
  Lines        145283   149446     +4163     
  Branches      16876    17362      +486     
=============================================
+ Hits          55890   110922    +55032     
+ Misses        81827    29651    -52176     
- Partials       7566     8873     +1307
Flag Coverage Δ
inttests 26.32% <ø> (+0.05%) ⬆️
systests 22.73% <ø> (+0.01%) ⬆️
unittests 73.76% <ø> (+39.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1413 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lhotari lhotari added this to the 4.2.0 milestone Nov 4, 2025
@lhotari lhotari merged commit 676ba07 into apache:master Nov 4, 2025
98 of 100 checks passed
lhotari pushed a commit that referenced this pull request Nov 4, 2025
@guptas6est @lhotari
[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and C…
c30cb6a 
…VE-2025-53864 (#24937)

(cherry picked from commit 676ba07)
lhotari pushed a commit that referenced this pull request Nov 4, 2025
@guptas6est @lhotari
[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and C…
5ada17f 
…VE-2025-53864 (#24937)

(cherry picked from commit 676ba07)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 6, 2025
@guptas6est @ganesh-ctds
[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and C…
f3e780d 
…VE-2025-53864 (apache#24937)

(cherry picked from commit 676ba07)
(cherry picked from commit 5ada17f)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 6, 2025
@guptas6est @srinath-ctds
[fix][sec] Override nimbus-jose-jwt to remediate CVE-2023-52428 and C…
14a6749 
…VE-2025-53864 (apache#24937)

(cherry picked from commit 676ba07)
(cherry picked from commit 5ada17f)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

@dao-jun dao-jun dao-jun approved these changes

Assignees

No one assigned

Labels

cherry-picked/branch-4.0 cherry-picked/branch-4.1 doc-not-needed Your PR changes do not impact docs release/4.0.8 release/4.1.2

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

4 participants

@guptas6est @lhotari @codecov-commenter @dao-jun