PT-2025-4383 · Jwk Set+1 · Jwk Set+1
Rohitkoul
·
Published
2025-01-09
·
Updated
2025-05-23
·
CVE-2025-22149
CVSS v4.0
2.1
Low
| Vector | AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
JWK Set versions prior to 0.6.0
Description
The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. However, the current behavior is to overwrite or append, which is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. An example attack scenario involves an attacker using a stolen private key to sign content after the key has been removed from the JWK Set.
Recommendations
For versions prior to 0.6.0, upgrade to version 0.6.0 or later to resolve the issue.
As a temporary workaround, consider removing the provided auto-caching HTTP client and replacing it with a custom implementation by setting the
HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jwk Set
Suse