CVE-2025-8916
EPSS 0.09%Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation
描述
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java . This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.
受影響套件(5)
- Debian/bouncycastlefrom 0
- Maven/org.bouncycastle:bcpkix-fips>= 1.0.0, < 1.0.8
- Maven/org.bouncycastle:bcpkix-jdk15on>= 1.44, < 1.79
- Maven/org.bouncycastle:bcpkix-jdk15to18>= 1.44, < 1.79
- Maven/org.bouncycastle:bcpkix-jdk18on>= 1.44, < 1.79
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-8916
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-8916
- PATCHhttps://github.com/bcgit/bc-java
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-032379.html
- WEBhttps://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e
- WEBhttps://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a
- WEBhttps://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916