CVE-2025-21085

PingFederate OAuth Grant attribute duplication may use excessive memory

Description

PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.

Remediation

Workaround:

  • Configuration options to mitigate: * Minimum Interval to Roll Refresh Tokens * Refresh Token Rolling Grace Period (Seconds)

Category

2.1
CVSS
Severity: Low
CVSS 4.0 •
EPSS 0.04%
Affected: Ping Identity PingFederate
Published at:
Updated at:

References

Link Tags
https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL mitigation
https://www.pingidentity.com/en/resources/downloads/pingfederate.html patch

Frequently Asked Questions

What is the severity of CVE-2025-21085?
CVE-2025-21085 has been scored as a low severity vulnerability.
How to fix CVE-2025-21085?
As a workaround for remediating CVE-2025-21085: Configuration options to mitigate: * Minimum Interval to Roll Refresh Tokens * Refresh Token Rolling Grace Period (Seconds)
Is CVE-2025-21085 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-21085 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-21085?
CVE-2025-21085 affects Ping Identity PingFederate.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.