Update to nimbus-jose-jwt:9.37.4

[florianberthe]

spring-security-oauth2-jose 6.5.3 depends on com.nimbusds:nimbus-jose-jwt 9.37.3, which is vulnerable to CVE-2025-53864 (uncontrolled recursion -> DoS).

The nimbus-jose-jwt project backported the gson upgrade in version 9.37.4, meaning that it is possible to fix this vulnerability in Spring Security 6.5.x.

Please could you release Spring Security with that dependency upgraded to remove this CVE?

Thank you

[florianberthe]

See latest comments on:
#17583
#17542

[florianberthe]

Thank you @jgrandja

[jgrandja]

@florianberthe This is now updated in 6.4.x and 6.5.x - just in time for the releases today.