ghsa-675f-rq2r-jw82
Vulnerability from github
Published
2025-01-09 17:23
Modified
2025-01-09 18:57
Severity ?
2.1 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Summary
JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh
Details

Impact

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario: 1. An attacker has stolen the private key for a key published in JWK Set. 2. The publishers of that JWK Set remove that key from the JWK Set. 3. Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set. 4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

Patches

The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.

Workarounds

The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.

References

Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.21"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/MicahParks/jwkset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-22149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-09T17:23:43Z",
    "nvd_published_at": "2025-01-09T18:15:30Z",
    "severity": "LOW"
  },
  "details": "### Impact\nThe project\u0027s provided HTTP client\u0027s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.\n\nExample attack scenario:\n1. An attacker has stolen the private key for a key published in JWK Set.\n2. The publishers of that JWK Set remove that key from the JWK Set.\n3. Enough time has passed that the program using the auto-caching HTTP client found in `github.com/MicahParks/jwkset` v0.5.0-v0.5.21 has elapsed its `HTTPClientStorageOptions.RefreshInterval` duration, causing a refresh of the remote JWK Set.\n4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.\n\n### Patches\nThe affected auto-caching HTTP client was added in version `v0.5.0` and fixed in `v0.6.0`. Upgrade to `v0.6.0` or later.\n\n### Workarounds\nThe only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the `HTTPClientStorageOptions.RefreshInterval` to zero (or not specifying the value). Upgrade to `v0.6.0` is advised.\n\n### References\nPlease see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40\n",
  "id": "GHSA-675f-rq2r-jw82",
  "modified": "2025-01-09T18:57:32Z",
  "published": "2025-01-09T17:23:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MicahParks/jwkset/issues/40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MicahParks/jwkset/pull/41"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MicahParks/jwkset"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "JWK Set\u0027s HTTP client only overwrites and appends JWK to local cache during refresh"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.