CVE-2025-22149

Jan. 9, 2025, 6:15 p.m.

None
No Score

Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

Product(s) Impacted

Product Versions
JWK Set (JSON Web Key Set)
  • 0.5.0
  • 0.6.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-672
Operation on a Resource after Expiration or Release
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

References

https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3
https://github.com/MicahParks/jwkset/issues/40
https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82

Tags

security-advisories@github.com
CWE-672
2025-01-09
CVE-2025-22149

Timeline

Published: Jan. 9, 2025, 6:15 p.m.
Last Modified: Jan. 9, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.