Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for BC Java by Legion of the Bouncy Castle Inc.

    CVE-2025-8916 (GCVE-0-2025-8916)

    Vulnerability from nvd – Published: 2025-08-13 09:31 – Updated: 2026-05-12 12:02
    VLAI
    Title
    Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Legion of the Bouncy Castle Inc. BC Java Affected: 1.44 , ≤ 1.78 (maven)
    Create a notification for this product.
    Legion of the Bouncy Castle Inc. BCPKIX FIPS Affected: 1.0.0 , ≤ 1.0.7 (maven)
    Affected: 2.0.0 , ≤ 2.0.7 (maven)
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Credits
    Bing Shi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8916",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-13T13:13:37.616496Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-13T13:13:54.247Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:02:38.443Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcpkix",
              "platforms": [
                "All"
              ],
              "product": "BC Java",
              "programFiles": [
                "https://github.com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java"
              ],
              "repo": "https://github.com/bcgit/bc-java",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.78",
                  "status": "affected",
                  "version": "1.44",
                  "versionType": "maven"
                }
              ]
            },
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcprov",
              "platforms": [
                "All"
              ],
              "product": "BC Java",
              "programFiles": [
                "https://github.com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java"
              ],
              "repo": "https://github.com/bcgit/bc-java",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.78",
                  "status": "affected",
                  "version": "1.44",
                  "versionType": "maven"
                }
              ]
            },
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcpkix-fips",
              "platforms": [
                "All"
              ],
              "product": "BCPKIX FIPS",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.7",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "maven"
                },
                {
                  "lessThanOrEqual": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation."
                }
              ],
              "value": "For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bing Shi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ehttps://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java\u003c/tt\u003e, \u003ctt\u003ehttps://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java.\n\nThis issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-12T11:17:08.609Z",
            "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
            "shortName": "bcorg"
          },
          "references": [
            {
              "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\" will mitigate the risk of an exploit by automatically putting a cap on the maximum size of a Name Constraints structure."
                }
              ],
              "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\" will mitigate the risk of an exploit by automatically putting a cap on the maximum size of a Name Constraints structure."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "assignerShortName": "bcorg",
        "cveId": "CVE-2025-8916",
        "datePublished": "2025-08-13T09:31:21.181Z",
        "dateReserved": "2025-08-13T08:52:38.480Z",
        "dateUpdated": "2026-05-12T12:02:38.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8885 (GCVE-0-2025-8885)

    Vulnerability from nvd – Published: 2025-08-12 09:13 – Updated: 2025-09-12 11:09
    VLAI
    Title
    Possible DOS in processing specially formed ASN.1 Object Identifiers
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java . This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Legion of the Bouncy Castle Inc. BC Java Affected: 1.0 , ≤ 1.77 (maven)
    Create a notification for this product.
    Legion of the Bouncy Castle Inc. BC-FJA Affected: 1.0.0 , ≤ 1.0.2.5 (maven)
    Affected: 2.0.0 , ≤ 2.0.1 (maven)
    Create a notification for this product.
    Credits
    Bing Shi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8885",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-12T18:14:28.953244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-12T18:14:43.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcprov",
              "platforms": [
                "All"
              ],
              "product": "BC Java",
              "programFiles": [
                "https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.java"
              ],
              "repo": "https://github.com/bcgit/bc-java",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.77",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            },
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bc-fips",
              "platforms": [
                "All"
              ],
              "product": "BC-FJA",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.2.5",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "maven"
                },
                {
                  "lessThanOrEqual": "2.0.1",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "To be exposed to the issue a system needs to be consuming ASN.1 structures which are otherwise unvetted or unvalidated."
                }
              ],
              "value": "To be exposed to the issue a system needs to be consuming ASN.1 structures which are otherwise unvetted or unvalidated."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bing Shi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java\"\u003ehttps://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti...\u003c/a\u003e\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files  https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java .\n\nThis issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-12T11:09:08.850Z",
            "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
            "shortName": "bcorg"
          },
          "references": [
            {
              "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908885"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Possible DOS in processing specially formed ASN.1 Object Identifiers",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\", or putting in place some other validation for such objects, will mitigate the risk of an exploit by automatically putting a cap on the maximum size of an ASN.1 OBJECT IDENTIFIER.\u0026nbsp;"
                }
              ],
              "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\", or putting in place some other validation for such objects, will mitigate the risk of an exploit by automatically putting a cap on the maximum size of an ASN.1 OBJECT IDENTIFIER."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "assignerShortName": "bcorg",
        "cveId": "CVE-2025-8885",
        "datePublished": "2025-08-12T09:13:42.770Z",
        "dateReserved": "2025-08-12T08:07:48.262Z",
        "dateUpdated": "2025-09-12T11:09:08.850Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-8916 (GCVE-0-2025-8916)

    Vulnerability from cvelistv5 – Published: 2025-08-13 09:31 – Updated: 2026-05-12 12:02
    VLAI
    Title
    Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Legion of the Bouncy Castle Inc. BC Java Affected: 1.44 , ≤ 1.78 (maven)
    Create a notification for this product.
    Legion of the Bouncy Castle Inc. BCPKIX FIPS Affected: 1.0.0 , ≤ 1.0.7 (maven)
    Affected: 2.0.0 , ≤ 2.0.7 (maven)
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Credits
    Bing Shi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8916",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-13T13:13:37.616496Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-13T13:13:54.247Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:02:38.443Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcpkix",
              "platforms": [
                "All"
              ],
              "product": "BC Java",
              "programFiles": [
                "https://github.com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java"
              ],
              "repo": "https://github.com/bcgit/bc-java",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.78",
                  "status": "affected",
                  "version": "1.44",
                  "versionType": "maven"
                }
              ]
            },
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcprov",
              "platforms": [
                "All"
              ],
              "product": "BC Java",
              "programFiles": [
                "https://github.com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java"
              ],
              "repo": "https://github.com/bcgit/bc-java",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.78",
                  "status": "affected",
                  "version": "1.44",
                  "versionType": "maven"
                }
              ]
            },
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcpkix-fips",
              "platforms": [
                "All"
              ],
              "product": "BCPKIX FIPS",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.7",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "maven"
                },
                {
                  "lessThanOrEqual": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation."
                }
              ],
              "value": "For an attack to take place the PKIXCertPathReviewer class must be in use by the application under attack and the class must be consuming certificate paths of unknown origin without any form of other validation."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bing Shi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003ehttps://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java\u003c/tt\u003e, \u003ctt\u003ehttps://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java.\n\nThis issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-12T11:17:08.609Z",
            "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
            "shortName": "bcorg"
          },
          "references": [
            {
              "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Possible DOS in processing large name constraint structures in PKIXCertPathReveiwer",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\" will mitigate the risk of an exploit by automatically putting a cap on the maximum size of a Name Constraints structure."
                }
              ],
              "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\" will mitigate the risk of an exploit by automatically putting a cap on the maximum size of a Name Constraints structure."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "assignerShortName": "bcorg",
        "cveId": "CVE-2025-8916",
        "datePublished": "2025-08-13T09:31:21.181Z",
        "dateReserved": "2025-08-13T08:52:38.480Z",
        "dateUpdated": "2026-05-12T12:02:38.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8885 (GCVE-0-2025-8885)

    Vulnerability from cvelistv5 – Published: 2025-08-12 09:13 – Updated: 2025-09-12 11:09
    VLAI
    Title
    Possible DOS in processing specially formed ASN.1 Object Identifiers
    Summary
    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java . This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Legion of the Bouncy Castle Inc. BC Java Affected: 1.0 , ≤ 1.77 (maven)
    Create a notification for this product.
    Legion of the Bouncy Castle Inc. BC-FJA Affected: 1.0.0 , ≤ 1.0.2.5 (maven)
    Affected: 2.0.0 , ≤ 2.0.1 (maven)
    Create a notification for this product.
    Credits
    Bing Shi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8885",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-12T18:14:28.953244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-12T18:14:43.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bcprov",
              "platforms": [
                "All"
              ],
              "product": "BC Java",
              "programFiles": [
                "https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.java"
              ],
              "repo": "https://github.com/bcgit/bc-java",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.77",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            },
            {
              "collectionURL": "https://repo1.maven.org/maven2/org/bouncycastle",
              "defaultStatus": "unaffected",
              "modules": [
                "API"
              ],
              "packageName": "bc-fips",
              "platforms": [
                "All"
              ],
              "product": "BC-FJA",
              "vendor": "Legion of the Bouncy Castle Inc.",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.2.5",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "maven"
                },
                {
                  "lessThanOrEqual": "2.0.1",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "To be exposed to the issue a system needs to be consuming ASN.1 structures which are otherwise unvetted or unvalidated."
                }
              ],
              "value": "To be exposed to the issue a system needs to be consuming ASN.1 structures which are otherwise unvetted or unvalidated."
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bing Shi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java\"\u003ehttps://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti...\u003c/a\u003e\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files  https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java .\n\nThis issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-12T11:09:08.850Z",
            "orgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
            "shortName": "bcorg"
          },
          "references": [
            {
              "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908885"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Possible DOS in processing specially formed ASN.1 Object Identifiers",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\", or putting in place some other validation for such objects, will mitigate the risk of an exploit by automatically putting a cap on the maximum size of an ASN.1 OBJECT IDENTIFIER.\u0026nbsp;"
                }
              ],
              "value": "Limiting the size of ASN.1 objects that can be loaded from \"the wild\", or putting in place some other validation for such objects, will mitigate the risk of an exploit by automatically putting a cap on the maximum size of an ASN.1 OBJECT IDENTIFIER."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630",
        "assignerShortName": "bcorg",
        "cveId": "CVE-2025-8885",
        "datePublished": "2025-08-12T09:13:42.770Z",
        "dateReserved": "2025-08-12T08:07:48.262Z",
        "dateUpdated": "2025-09-12T11:09:08.850Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }