N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-8885

GHSA ID

GHSA-67mf-3cr5-8w23

EPSS Score

0.11655%

CWE

CWE-770

Published

8/12/2025

Updated

8/12/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8885

CVE-2025-8885: Bouncy Castle for Java on All (API modules) allows Excessive Allocation

A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulnerability allows attackers to cause excessive memory allocation through unbounded resource consumption, potentially leading to denial of service. The issue is located in the ASN1ObjectIdentifier.java file in the core module.

This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-8885

GHSA ID

GHSA-67mf-3cr5-8w23

EPSS Score

0.11655%

CWE

CWE-770

Published

8/12/2025

Updated

8/12/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.bouncycastle:bcprov-jdk14	maven	>= 1.0, < 1.78	1.78
org.bouncycastle:bcprov-jdk15to18	maven	>= 1.0, < 1.78	1.78
org.bouncycastle:bcprov-jdk18on	maven	>= 1.0, < 1.78	1.78
org.bouncycastle:bctls-jdk14	maven	>= 1.0, < 1.78	1.78
org.bouncycastle:bctls-jdk15to18	maven	>= 1.0, < 1.78	1.78
org.bouncycastle:bctls-jdk18on	maven	>= 1.0, < 1.78	1.78
org.bouncycastle:bc-fips	maven	>= 1.0.0, <= 2.0.0	2.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an excessive allocation issue within the Bouncy Castle library's ASN.1 parsing logic. The core of the problem lies in the ASN1ObjectIdentifier and ASN1RelativeOID classes, which lacked validation for the size of the OID data they were processing. The patch addresses this by introducing a size limit (MAX_CONTENTS_LENGTH) and adding checks in the constructors and methods (branch) that create or extend OIDs. The changes in ASN1InputStream show that the vulnerability could be triggered by parsing a malicious ASN.1 stream, making it a critical pathway for exploitation. The identified functions are the exact locations where the unbounded allocation could occur and are the functions that were modified to enforce the new size limits, making them the vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*sour** *llo**tion vuln*r**ility *xists in *oun*y **stl* *or J*v* (*y L**ion o* t** *oun*y **stl* In*.) t**t *****ts *ll *PI mo*ul*s. T** vuln*r**ility *llows *tt**k*rs to **us* *x**ssiv* m*mory *llo**tion t*rou** un*oun*** r*sour** *onsumption, p

Reasoning

T** vuln*r**ility is *n *x**ssiv* *llo**tion issu* wit*in t** *oun*y **stl* li*r*ry's *SN.* p*rsin* lo*i*. T** *or* o* t** pro*l*m li*s in t** `*SN*O*j**tI**nti*i*r` *n* `*SN*R*l*tiv*OI*` *l*ss*s, w*i** l**k** v*li**tion *or t** siz* o* t** OI* **t*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-8885: Bouncy Castle for Java on All (API modules) allows Excessive Allocation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI