CVE-2025-8885

Possible DOS in processing specially formed ASN.1 Object Identifiers

Description

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcprov, bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java. This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 1.0.2.5, from BC-FJA 2.0.0 through 2.0.0.

Remediation

Workaround:

Limiting the size of ASN.1 objects that can be loaded from "the wild", or putting in place some other validation for such objects, will mitigate the risk of an exploit by automatically putting a cap on the maximum size of an ASN.1 OBJECT IDENTIFIER.

References

Link	Tags
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908885

Frequently Asked Questions

What is the severity of CVE-2025-8885?: CVE-2025-8885 has been scored as a medium severity vulnerability.
How to fix CVE-2025-8885?: As a workaround for remediating CVE-2025-8885: Limiting the size of ASN.1 objects that can be loaded from "the wild", or putting in place some other validation for such objects, will mitigate the risk of an exploit by automatically putting a cap on the maximum size of an ASN.1 OBJECT IDENTIFIER.
Is CVE-2025-8885 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-8885 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-8885?: CVE-2025-8885 affects Legion of the Bouncy Castle Inc. Bouncy Castle for Java.

Description

Remediation

Category

CWE-770 – Allocation of Resources Without Limits or Throttling

References

Frequently Asked Questions