java-cas-client 4.0.4: CVE-2025-53864 in transitive nimbus-jose-jwt; master fixed but no new release
34 views
Skip to first unread message
smallbun
Jan 5, 2026, 12:53:13 AM (13 days ago) Jan 5
to CAS Community
Hi all,
CVE-2025-53864 affects the transitive dependency nimbus-jose-jwt 9.37.3 used by java-cas-client 4.0.4. I see master has already bumped to a non-vulnerable version, but a new release hasn’t been published for quite some time. Could you please consider cutting a patched release (or a 4.0.5/4.1.0) to get the fix onto Maven Central?
In the meantime, we can override the dependency via dependencyManagement , but an official release would help downstreams avoid pinning and ensure consistent security posture. If there’s a planned timeline or pre-release we can consume, please let us know.
Thanks!
CVE-2025-53864 affects the transitive dependency nimbus-jose-jwt 9.37.3 used by java-cas-client 4.0.4. I see master has already bumped to a non-vulnerable version, but a new release hasn’t been published for quite some time. Could you please consider cutting a patched release (or a 4.0.5/4.1.0) to get the fix onto Maven Central?
In the meantime, we can override the dependency via dependencyManagement , but an official release would help downstreams avoid pinning and ensure consistent security posture. If there’s a planned timeline or pre-release we can consume, please let us know.
Thanks!
Reply all
Reply to author
Forward
0 new messages