2.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-22149

GHSA ID

GHSA-675f-rq2r-jw82

EPSS Score

0.35228%

CWE

CWE-672

Published

1/9/2025

Updated

1/9/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-22149

CVE-2025-22149: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

Impact

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario:

An attacker has stolen the private key for a key published in JWK Set.
The publishers of that JWK Set remove that key from the JWK Set.
Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set.
The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

Patches

The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.

Workarounds

The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.

References

Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40

(GitHub Advisory)

2.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-22149

GHSA ID

GHSA-675f-rq2r-jw82

EPSS Score

0.35228%

CWE

CWE-672

Published

1/9/2025

Updated

1/9/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/MicahParks/jwkset	go	>= 0.5.0, <= 0.5.21	0.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the HTTP client's cache refresh mechanism in NewStorageFromHTTP. In vulnerable versions (<=0.5.21), the refresh handler processed remote JWK Sets without first clearing existing keys (no KeyDeleteAll call). The commit diff shows the fix added store.KeyDeleteAll() before processing new keys, confirming the previous absence of cache clearance was the root cause. The function manages the auto-caching behavior described in the vulnerability reports, making it the primary point of failure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** proj**t's provi*** *TTP *li*nt's lo**l JWK S*t ***** s*oul* *o * *ull r*pl***m*nt w**n t** *oroutin* r**r*s**s t** r*mot* JWK S*t. T** *urr*nt ****vior is to ov*rwrit* or *pp*n*. T*is is * s**urity issu* *or us* **s*s t**t utiliz* t**

Reasoning

T** vuln*r**ility st*ms *rom t** `*TTP` *li*nt's ***** r**r*s* m****nism in `N*wStor****rom*TTP`. In vuln*r**l* v*rsions (<=*.*.**), t** r**r*s* **n*l*r pro**ss** r*mot* JWK S*ts wit*out *irst *l**rin* *xistin* k*ys (no `K*y**l*t**ll` **ll). T** *omm

2.1

Basic Information

Concerned about an active attack path?

CVE-2025-22149: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

Impact

Patches

Workarounds

References

2.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI