Hi all, CVE-2025-53864 affects the transitive dependency nimbus-jose-jwt 9.37.3 used by java-cas-client 4.0.4. I see master has already bumped to a non-vulnerable version, but a new release hasn’t been published for quite some time. Could you please consider cutting a patched release (or a 4.0.5/4.1.0) to get the fix onto Maven Central?
In the meantime, we can override the dependency via dependencyManagement , but an official release would help downstreams avoid pinning and ensure consistent security posture. If there’s a planned timeline or pre-release we can consume, please let us know. Thanks! -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7b271ac-66b7-4ec6-b69e-655cbec8e9bbn%40apereo.org.
