CVE-2025-22149

LOW EPSS 40.1%
Published Jan 9, 20251y ago · Modified Jun 17, 20262w ago
2.1 CVSS 4.0
Low
Find Similar
Published Jan 9, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
40.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-672

References 5

  • github.com https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3
  • github.com https://github.com/MicahParks/jwkset/issues/40
  • github.com https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1
  • vicarius.io https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.