CVE-2025-22149 (GCVE-0-2025-22149)

Vulnerability from cvelistv5 – Published: 2025-01-09 17:22 – Updated: 2025-05-23 19:56
VLAI?
Summary
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
Severity ?
2.1 (Low)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
CWE
  • CWE-672 - Operation on a Resource after Expiration or Release
Assigner
References
Impacted products
Vendor Product Version
MicahParks jwkset Affected: >= 0.5.0, < 0.6.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T18:08:52.573069Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T18:09:01.964Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-23T19:56:35.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jwkset",
          "vendor": "MicahParks",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0, \u003c 0.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value)."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-672",
              "description": "CWE-672: Operation on a Resource after Expiration or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T17:22:59.757Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82"
        },
        {
          "name": "https://github.com/MicahParks/jwkset/issues/40",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MicahParks/jwkset/issues/40"
        },
        {
          "name": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3"
        }
      ],
      "source": {
        "advisory": "GHSA-675f-rq2r-jw82",
        "discovery": "UNKNOWN"
      },
      "title": "JWK Set\u0027s HTTP client only overwrites and appends JWK to local cache during refresh"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-22149",
    "datePublished": "2025-01-09T17:22:59.757Z",
    "dateReserved": "2024-12-30T03:00:33.654Z",
    "dateUpdated": "2025-05-23T19:56:35.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).\"}, {\"lang\": \"es\", \"value\": \"JWK Set (JSON Web Key Set) es una implementaci\\u00f3n de JWK y JWK Set Go. Antes de la versi\\u00f3n 0.6.0, la cach\\u00e9 local de JWK Set del cliente HTTP proporcionado por el proyecto deber\\u00eda realizar un reemplazo completo cuando la goroutine actualiza el JWK Set remoto. El comportamiento actual es sobrescribir o agregar. Este es un problema de seguridad para los casos de uso que utilizan el cliente HTTP de almacenamiento en cach\\u00e9 autom\\u00e1tico proporcionado y donde la eliminaci\\u00f3n de claves de un JWK Set es equivalente a la revocaci\\u00f3n. El cliente HTTP de almacenamiento en cach\\u00e9 autom\\u00e1tico afectado se agreg\\u00f3 en la versi\\u00f3n v0.5.0 y se solucion\\u00f3 en la v0.6.0. El \\u00fanico workaround ser\\u00eda eliminar el cliente HTTP de almacenamiento en cach\\u00e9 autom\\u00e1tico proporcionado y reemplazarlo con una implementaci\\u00f3n personalizada. Esto implica configurar HTTPClientStorageOptions.RefreshInterval en cero (o no especificar el valor).\"}]",
      "id": "CVE-2025-22149",
      "lastModified": "2025-01-09T18:15:30.233",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 2.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"LOW\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2025-01-09T18:15:30.233",
      "references": "[{\"url\": \"https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/MicahParks/jwkset/issues/40\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-672\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-22149\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-09T18:15:30.233\",\"lastModified\":\"2025-05-23T20:15:24.427\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).\"},{\"lang\":\"es\",\"value\":\"JWK Set (JSON Web Key Set) es una implementaci\u00f3n de JWK y JWK Set Go. Antes de la versi\u00f3n 0.6.0, la cach\u00e9 local de JWK Set del cliente HTTP proporcionado por el proyecto deber\u00eda realizar un reemplazo completo cuando la goroutine actualiza el JWK Set remoto. El comportamiento actual es sobrescribir o agregar. Este es un problema de seguridad para los casos de uso que utilizan el cliente HTTP de almacenamiento en cach\u00e9 autom\u00e1tico proporcionado y donde la eliminaci\u00f3n de claves de un JWK Set es equivalente a la revocaci\u00f3n. El cliente HTTP de almacenamiento en cach\u00e9 autom\u00e1tico afectado se agreg\u00f3 en la versi\u00f3n v0.5.0 y se solucion\u00f3 en la v0.6.0. El \u00fanico workaround ser\u00eda eliminar el cliente HTTP de almacenamiento en cach\u00e9 autom\u00e1tico proporcionado y reemplazarlo con una implementaci\u00f3n personalizada. Esto implica configurar HTTPClientStorageOptions.RefreshInterval en cero (o no especificar el valor).\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-672\"}]}],\"references\":[{\"url\":\"https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/MicahParks/jwkset/issues/40\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-05-23T19:56:35.937Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22149\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T18:08:52.573069Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T18:08:56.235Z\"}}], \"cna\": {\"title\": \"JWK Set\u0027s HTTP client only overwrites and appends JWK to local cache during refresh\", \"source\": {\"advisory\": \"GHSA-675f-rq2r-jw82\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"MicahParks\", \"product\": \"jwkset\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.5.0, \u003c 0.6.0\"}]}], \"references\": [{\"url\": \"https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82\", \"name\": \"https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/MicahParks/jwkset/issues/40\", \"name\": \"https://github.com/MicahParks/jwkset/issues/40\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3\", \"name\": \"https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-672\", \"description\": \"CWE-672: Operation on a Resource after Expiration or Release\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-09T17:22:59.757Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-22149\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-23T19:56:35.937Z\", \"dateReserved\": \"2024-12-30T03:00:33.654Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-09T17:22:59.757Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.