CVE-2025-22149

JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

Category

2.1
CVSS
Severity: Low
CVSS 4.0 •
EPSS 0.12%
Affected: MicahParks jwkset
Published at:
Updated at:

References

Link Tags
https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82
https://github.com/MicahParks/jwkset/issues/40
https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3
https://www.vicarius.io/vsociety/posts/cve-2025-22149-detect-jwkset-vulnerability-in-go-projects-1
https://www.vicarius.io/vsociety/posts/cve-2025-22149-mitigate-jwkset-vulnerability-in-go-projects

Frequently Asked Questions

What is the severity of CVE-2025-22149?
CVE-2025-22149 has been scored as a low severity vulnerability.
How to fix CVE-2025-22149?
To fix CVE-2025-22149, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-22149 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-22149 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-22149?
CVE-2025-22149 affects MicahParks jwkset.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.