N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-8916

GHSA ID

GHSA-4cx2-fc23-5wg6

EPSS Score

0.11684%

CWE

CWE-770

Published

8/13/2025

Updated

8/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8916

CVE-2025-8916: Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .

This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-8916

GHSA ID

GHSA-4cx2-fc23-5wg6

EPSS Score

0.11684%

CWE

CWE-770

Published

8/13/2025

Updated

8/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.bouncycastle:bcpkix-jdk15on	maven	>= 1.44, <= 1.78	1.79
org.bouncycastle:bcpkix-jdk15to18	maven	>= 1.44, <= 1.78	1.79
org.bouncycastle:bcpkix-jdk18on	maven	>= 1.44, <= 1.78	1.79
org.bouncycastle:bcpkix-fips	maven	>= 1.0.0, <= 1.0.7	1.0.8
org.bouncycastle:bcpkix-fips	maven	>= 2.0.0, <= 2.0.7	2.0.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the checkNameConstraints method of two different PKIXCertPathReviewer classes within the Bouncy Castle library. Both of these methods are responsible for handling subject alternative names from X.509 certificates during path validation. The core of the vulnerability is the lack of a size check on the number of alternative names. An attacker can create a malicious certificate with an extremely large number of these names. When a Java application using a vulnerable version of Bouncy Castle attempts to validate a certificate path containing this malicious certificate, the checkNameConstraints method will be called. This method would then attempt to process all the alternative names, leading to a massive memory allocation that can exhaust the heap space of the Java Virtual Machine, causing a denial-of-service. The provided patches fix this by introducing a hard limit (NAME_CHECK_MAX) on the number of alternative names that will be processed, preventing the excessive allocation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*llo**tion o* R*sour**s Wit*out Limits or T*rottlin* vuln*r**ility in L**ion o* t** *oun*y **stl* In*. *oun*y **stl* *or J*v* **pkix, **prov, **pkix-*ips on *ll (*PI mo*ul*s) *llows *x**ssiv* *llo**tion. T*is vuln*r**ility is *sso*i*t** wit* pro*r*m

Reasoning

T** vuln*r**ility li*s in t** `****kN*m**onstr*ints` m*t*o* o* two *i***r*nt `PKIX**rtP*t*R*vi*w*r` *l*ss*s wit*in t** *oun*y **stl* li*r*ry. *ot* o* t**s* m*t*o*s *r* r*sponsi*l* *or **n*lin* su*j**t *lt*rn*tiv* n*m*s *rom X.*** **rti*i**t*s *urin*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-8916: Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI