We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-22149

JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh



Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

Reserved 2024-12-30 | Published 2025-01-09 | Updated 2025-01-09 | Assigner GitHub_M


LOW: 2.1CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-672: Operation on a Resource after Expiration or Release

Product status

>= 0.5.0, < 0.6.0
affected

References

github.com/...jwkset/security/advisories/GHSA-675f-rq2r-jw82

github.com/MicahParks/jwkset/issues/40

github.com/...ommit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3

cve.org (CVE-2025-22149)

nvd.nist.gov (CVE-2025-22149)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2025-22149

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.