CVE-2025-22149 is a vulnerability identified in the MicahParks jwkset Go library, specifically affecting versions from 0.5.0 up to but not including 0.6.0. The vulnerability relates to the handling of JSON Web Key Sets (JWK Sets) in the library's provided HTTP client, which includes an auto-caching mechanism for remote JWK Sets. The issue arises because the local cache update logic does not perform a full replacement of the cached keys when refreshing from the remote source. Instead, it overwrites or appends keys, which can lead to stale or revoked keys remaining in the cache. This behavior is problematic in scenarios where key removal from a JWK Set is intended to signify key revocation. If revoked keys persist in the cache, clients may continue to trust and use these keys, potentially allowing unauthorized access or cryptographic operations with invalid keys. The vulnerability is classified under CWE-672, which involves operations on resources after expiration or release, indicating that the cache update mishandles the lifecycle of keys. The flaw requires the use of the auto-caching HTTP client introduced in version 0.5.0 and was corrected in version 0.6.0 by ensuring a full replacement of the cached keys during refresh. No known exploits are reported in the wild, and the CVSS v4.0 score is low (2.1), reflecting limited impact and exploitation complexity. The vulnerability does not require user interaction but does require privileges to trigger the refresh mechanism. The only workaround before upgrading is to disable the auto-caching client by setting the HTTPClientStorageOptions.RefreshInterval to zero or omitting it, thereby forcing manual cache management or a custom implementation.

For European organizations relying on the MicahParks jwkset library in their Go-based applications, particularly those using the auto-caching HTTP client for JWK Set management, this vulnerability could undermine the trustworthiness of cryptographic key validation. The persistence of revoked keys in the cache could allow attackers or compromised entities to continue using invalidated keys for authentication, authorization, or encryption operations. This may lead to unauthorized access to sensitive systems or data, undermining confidentiality and integrity. However, given the low CVSS score and the requirement for privileged access to trigger the issue, the overall risk is limited. Organizations using this library in critical identity and access management systems, token validation services, or secure communications could face subtle security risks if they do not update or mitigate the vulnerability. The impact is more pronounced in environments where key revocation is a frequent and critical operation. Since the vulnerability does not affect availability and requires specific library versions, the scope is constrained but still relevant for affected deployments.

The primary mitigation is to upgrade the MicahParks jwkset library to version 0.6.0 or later, where the issue is fixed by implementing a full replacement of the cached JWK Set during refresh. Until an upgrade is feasible, organizations should disable the auto-caching HTTP client by setting HTTPClientStorageOptions.RefreshInterval to zero or not specifying it, forcing manual cache refreshes or the use of a custom caching implementation that ensures proper key removal. Additionally, organizations should audit their usage of the jwkset library to identify affected components and verify that key revocation processes are functioning correctly. Implementing monitoring to detect the use of revoked keys and enforcing strict key lifecycle management policies can further reduce risk. Finally, reviewing access controls to limit who can trigger cache refreshes or update keys will help contain potential exploitation.