Bug Report: CVE-2025-53864 nimbus-jose-jwt 9.32.1 found in payara micro jar / FISH-9297 #7584
Description
Brief Summary
I feel like this is a False Positive however i'm not 100% sure about that.
During our security scan there was a library with vulnerability found in payara micro jar.
We use https://www.aquasec.com/products/trivy/ for scanning.
It reported that nimbus-jose-jwt in version 9.32.1 was present.
Payara lists in release notes that is uses nimbus-jose-jwt but in version 10.4, and we found that the jar is is present in this version.
However due to the scanner complaining we did a bit of more digging, and in fact there is a pom of nimbus in 9.32.1 version present in security-connector-oidc-client.
The full path of the pom location is MICRO-INF\runtime\security-connector-oidc-client.jar\META-INF\maven\com.nimbusds\nimbus-jose-jwt
The security-connector-oidc-client has nimbus as provided dependency and the only jar present is the safe 10.4 version, so thats why i think its a FP.
Expected Outcome
No detection of nimbus-jose-jwt 9.32.1 present in micro or less preferably confirmation, that we can assume this is a false positive.
Current Outcome
Nimbus-jose-jwt 9.32.1 (hopefuly as FP) present in micro.
Reproducer
Download original payara micro jar from maven:
https://repo1.maven.org/maven2/fish/payara/extras/payara-micro/6.2025.8/payara-micro-6.2025.8.jar
Operating System
Non factor
JDK Version
21
Payara Distribution
Payara Micro