N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-8916

GHSA ID

GHSA-4cx2-fc23-5wg6

EPSS Score

0.11684%

CWE

CWE-770

Published

8/13/2025

Updated

8/13/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8916

CVE-2025-8916: Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .

This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-8916

CVE-2025-8916:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-8916

GHSA ID

GHSA-4cx2-fc23-5wg6

EPSS Score

0.11684%

CWE

CWE-770

Published

8/13/2025

Updated

8/13/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.bouncycastle:bcpkix-jdk15on	maven	>= 1.44, <= 1.78	1.79
org.bouncycastle:bcpkix-jdk15to18	maven	>= 1.44, <= 1.78	1.79
org.bouncycastle:bcpkix-jdk18on	maven	>= 1.44, <= 1.78	1.79
org.bouncycastle:bcpkix-fips	maven	>= 1.0.0, <= 1.0.7	1.0.8
org.bouncycastle:bcpkix-fips	maven	>= 2.0.0, <= 2.0.7	2.0.8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the checkNameConstraints method of two different PKIXCertPathReviewer classes within the Bouncy Castle library. Both of these methods are responsible for handling subject alternative names from X.509 certificates during path validation. The core of the vulnerability is the lack of a size check on the number of alternative names. An attacker can create a malicious certificate with an extremely large number of these names. When a Java application using a vulnerable version of Bouncy Castle attempts to validate a certificate path containing this malicious certificate, the checkNameConstraints method will be called. This method would then attempt to process all the alternative names, leading to a massive memory allocation that can exhaust the heap space of the Java Virtual Machine, causing a denial-of-service. The provided patches fix this by introducing a hard limit (NAME_CHECK_MAX) on the number of alternative names that will be processed, preventing the excessive allocation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-8916: Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation

CVE-2025-8916:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

CVE-2025-8916: Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI