{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22149", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-30T03:00:33.654Z", "datePublished": "2025-01-09T17:22:59.757Z", "dateUpdated": "2025-05-23T19:56:35.937Z"}, "containers": {"cna": {"title": "JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh", "problemTypes": [{"descriptions": [{"cweId": "CWE-672", "lang": "en", "description": "CWE-672: Operation on a Resource after Expiration or Release", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82"}, {"name": "https://github.com/MicahParks/jwkset/issues/40", "tags": ["x_refsource_MISC"], "url": "https://github.com/MicahParks/jwkset/issues/40"}, {"name": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3", "tags": ["x_refsource_MISC"], "url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3"}], "affected": [{"vendor": "MicahParks", "product": "jwkset", "versions": [{"version": ">= 0.5.0, < 0.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-09T17:22:59.757Z"}, "descriptions": [{"lang": "en", "value": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value)."}], "source": {"advisory": "GHSA-675f-rq2r-jw82", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T18:08:52.573069Z", "id": "CVE-2025-22149", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T18:09:01.964Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-23T19:56:35.937Z"}, "references": [{"url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-23T19:56:35.937Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-09T18:08:52.573069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T18:08:56.235Z"}}], "cna": {"title": "JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh", "source": {"advisory": "GHSA-675f-rq2r-jw82", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "MicahParks", "product": "jwkset", "versions": [{"status": "affected", "version": ">= 0.5.0, < 0.6.0"}]}], "references": [{"url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82", "name": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MicahParks/jwkset/issues/40", "name": "https://github.com/MicahParks/jwkset/issues/40", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3", "name": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-672", "description": "CWE-672: Operation on a Resource after Expiration or Release"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-09T17:22:59.757Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22149", "state": "PUBLISHED", "dateUpdated": "2025-05-23T19:56:35.937Z", "dateReserved": "2024-12-30T03:00:33.654Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-09T17:22:59.757Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value)."}, {"lang": "es", "value": "JWK Set (JSON Web Key Set) es una implementaci\u00f3n de JWK y JWK Set Go. Antes de la versi\u00f3n 0.6.0, la cach\u00e9 local de JWK Set del cliente HTTP proporcionado por el proyecto deber\u00eda realizar un reemplazo completo cuando la goroutine actualiza el JWK Set remoto. El comportamiento actual es sobrescribir o agregar. Este es un problema de seguridad para los casos de uso que utilizan el cliente HTTP de almacenamiento en cach\u00e9 autom\u00e1tico proporcionado y donde la eliminaci\u00f3n de claves de un JWK Set es equivalente a la revocaci\u00f3n. El cliente HTTP de almacenamiento en cach\u00e9 autom\u00e1tico afectado se agreg\u00f3 en la versi\u00f3n v0.5.0 y se solucion\u00f3 en la v0.6.0. El \u00fanico workaround ser\u00eda eliminar el cliente HTTP de almacenamiento en cach\u00e9 autom\u00e1tico proporcionado y reemplazarlo con una implementaci\u00f3n personalizada. Esto implica configurar HTTPClientStorageOptions.RefreshInterval en cero (o no especificar el valor)."}], "id": "CVE-2025-22149", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-09T18:15:30.233", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3"}, {"source": "security-advisories@github.com", "url": "https://github.com/MicahParks/jwkset/issues/40"}, {"source": "security-advisories@github.com", "url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-672"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}