Skip to main content

CVE-2025-22149: CWE-672: Operation on a Resource after Expiration or Release in MicahParks jwkset

Low
VulnerabilityCVE-2025-22149cvecve-2025-22149cwe-672
Published: Thu Jan 09 2025 (01/09/2025, 17:22:59 UTC)
Source: CVE
Vendor/Project: MicahParks
Product: jwkset

Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

AI-Powered Analysis

AILast updated: 07/08/2025, 21:01:05 UTC

Technical Analysis

CVE-2025-22149 is a vulnerability identified in the MicahParks jwkset Go library, specifically affecting versions from 0.5.0 up to but not including 0.6.0. The vulnerability relates to the handling of JSON Web Key Sets (JWK Sets) in the library's provided HTTP client, which includes an auto-caching mechanism for remote JWK Sets. The issue arises because the local cache update logic does not perform a full replacement of the cached keys when refreshing from the remote source. Instead, it overwrites or appends keys, which can lead to stale or revoked keys remaining in the cache. This behavior is problematic in scenarios where key removal from a JWK Set is intended to signify key revocation. If revoked keys persist in the cache, clients may continue to trust and use these keys, potentially allowing unauthorized access or cryptographic operations with invalid keys. The vulnerability is classified under CWE-672, which involves operations on resources after expiration or release, indicating that the cache update mishandles the lifecycle of keys. The flaw requires the use of the auto-caching HTTP client introduced in version 0.5.0 and was corrected in version 0.6.0 by ensuring a full replacement of the cached keys during refresh. No known exploits are reported in the wild, and the CVSS v4.0 score is low (2.1), reflecting limited impact and exploitation complexity. The vulnerability does not require user interaction but does require privileges to trigger the refresh mechanism. The only workaround before upgrading is to disable the auto-caching client by setting the HTTPClientStorageOptions.RefreshInterval to zero or omitting it, thereby forcing manual cache management or a custom implementation.

Potential Impact

For European organizations relying on the MicahParks jwkset library in their Go-based applications, particularly those using the auto-caching HTTP client for JWK Set management, this vulnerability could undermine the trustworthiness of cryptographic key validation. The persistence of revoked keys in the cache could allow attackers or compromised entities to continue using invalidated keys for authentication, authorization, or encryption operations. This may lead to unauthorized access to sensitive systems or data, undermining confidentiality and integrity. However, given the low CVSS score and the requirement for privileged access to trigger the issue, the overall risk is limited. Organizations using this library in critical identity and access management systems, token validation services, or secure communications could face subtle security risks if they do not update or mitigate the vulnerability. The impact is more pronounced in environments where key revocation is a frequent and critical operation. Since the vulnerability does not affect availability and requires specific library versions, the scope is constrained but still relevant for affected deployments.

Mitigation Recommendations

The primary mitigation is to upgrade the MicahParks jwkset library to version 0.6.0 or later, where the issue is fixed by implementing a full replacement of the cached JWK Set during refresh. Until an upgrade is feasible, organizations should disable the auto-caching HTTP client by setting HTTPClientStorageOptions.RefreshInterval to zero or not specifying it, forcing manual cache refreshes or the use of a custom caching implementation that ensures proper key removal. Additionally, organizations should audit their usage of the jwkset library to identify affected components and verify that key revocation processes are functioning correctly. Implementing monitoring to detect the use of revoked keys and enforcing strict key lifecycle management policies can further reduce risk. Finally, reviewing access controls to limit who can trigger cache refreshes or update keys will help contain potential exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2024-12-30T03:00:33.654Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6830d58c0acd01a249275509

Added to database: 5/23/2025, 8:07:40 PM

Last enriched: 7/8/2025, 9:01:05 PM

Last updated: 8/12/2025, 2:11:27 AM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats