CVE-2025-22149: CWE-672: Operation on a Resource after Expiration or Release in MicahParks jwkset
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
AI Analysis
Technical Summary
CVE-2025-22149 is a vulnerability identified in the MicahParks jwkset Go library, specifically affecting versions from 0.5.0 up to but not including 0.6.0. The vulnerability relates to the handling of JSON Web Key Sets (JWK Sets) in the library's provided HTTP client, which includes an auto-caching mechanism for remote JWK Sets. The issue arises because the local cache update logic does not perform a full replacement of the cached keys when refreshing from the remote source. Instead, it overwrites or appends keys, which can lead to stale or revoked keys remaining in the cache. This behavior is problematic in scenarios where key removal from a JWK Set is intended to signify key revocation. If revoked keys persist in the cache, clients may continue to trust and use these keys, potentially allowing unauthorized access or cryptographic operations with invalid keys. The vulnerability is classified under CWE-672, which involves operations on resources after expiration or release, indicating that the cache update mishandles the lifecycle of keys. The flaw requires the use of the auto-caching HTTP client introduced in version 0.5.0 and was corrected in version 0.6.0 by ensuring a full replacement of the cached keys during refresh. No known exploits are reported in the wild, and the CVSS v4.0 score is low (2.1), reflecting limited impact and exploitation complexity. The vulnerability does not require user interaction but does require privileges to trigger the refresh mechanism. The only workaround before upgrading is to disable the auto-caching client by setting the HTTPClientStorageOptions.RefreshInterval to zero or omitting it, thereby forcing manual cache management or a custom implementation.
Potential Impact
For European organizations relying on the MicahParks jwkset library in their Go-based applications, particularly those using the auto-caching HTTP client for JWK Set management, this vulnerability could undermine the trustworthiness of cryptographic key validation. The persistence of revoked keys in the cache could allow attackers or compromised entities to continue using invalidated keys for authentication, authorization, or encryption operations. This may lead to unauthorized access to sensitive systems or data, undermining confidentiality and integrity. However, given the low CVSS score and the requirement for privileged access to trigger the issue, the overall risk is limited. Organizations using this library in critical identity and access management systems, token validation services, or secure communications could face subtle security risks if they do not update or mitigate the vulnerability. The impact is more pronounced in environments where key revocation is a frequent and critical operation. Since the vulnerability does not affect availability and requires specific library versions, the scope is constrained but still relevant for affected deployments.
Mitigation Recommendations
The primary mitigation is to upgrade the MicahParks jwkset library to version 0.6.0 or later, where the issue is fixed by implementing a full replacement of the cached JWK Set during refresh. Until an upgrade is feasible, organizations should disable the auto-caching HTTP client by setting HTTPClientStorageOptions.RefreshInterval to zero or not specifying it, forcing manual cache refreshes or the use of a custom caching implementation that ensures proper key removal. Additionally, organizations should audit their usage of the jwkset library to identify affected components and verify that key revocation processes are functioning correctly. Implementing monitoring to detect the use of revoked keys and enforcing strict key lifecycle management policies can further reduce risk. Finally, reviewing access controls to limit who can trigger cache refreshes or update keys will help contain potential exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2025-22149: CWE-672: Operation on a Resource after Expiration or Release in MicahParks jwkset
Description
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
AI-Powered Analysis
Technical Analysis
CVE-2025-22149 is a vulnerability identified in the MicahParks jwkset Go library, specifically affecting versions from 0.5.0 up to but not including 0.6.0. The vulnerability relates to the handling of JSON Web Key Sets (JWK Sets) in the library's provided HTTP client, which includes an auto-caching mechanism for remote JWK Sets. The issue arises because the local cache update logic does not perform a full replacement of the cached keys when refreshing from the remote source. Instead, it overwrites or appends keys, which can lead to stale or revoked keys remaining in the cache. This behavior is problematic in scenarios where key removal from a JWK Set is intended to signify key revocation. If revoked keys persist in the cache, clients may continue to trust and use these keys, potentially allowing unauthorized access or cryptographic operations with invalid keys. The vulnerability is classified under CWE-672, which involves operations on resources after expiration or release, indicating that the cache update mishandles the lifecycle of keys. The flaw requires the use of the auto-caching HTTP client introduced in version 0.5.0 and was corrected in version 0.6.0 by ensuring a full replacement of the cached keys during refresh. No known exploits are reported in the wild, and the CVSS v4.0 score is low (2.1), reflecting limited impact and exploitation complexity. The vulnerability does not require user interaction but does require privileges to trigger the refresh mechanism. The only workaround before upgrading is to disable the auto-caching client by setting the HTTPClientStorageOptions.RefreshInterval to zero or omitting it, thereby forcing manual cache management or a custom implementation.
Potential Impact
For European organizations relying on the MicahParks jwkset library in their Go-based applications, particularly those using the auto-caching HTTP client for JWK Set management, this vulnerability could undermine the trustworthiness of cryptographic key validation. The persistence of revoked keys in the cache could allow attackers or compromised entities to continue using invalidated keys for authentication, authorization, or encryption operations. This may lead to unauthorized access to sensitive systems or data, undermining confidentiality and integrity. However, given the low CVSS score and the requirement for privileged access to trigger the issue, the overall risk is limited. Organizations using this library in critical identity and access management systems, token validation services, or secure communications could face subtle security risks if they do not update or mitigate the vulnerability. The impact is more pronounced in environments where key revocation is a frequent and critical operation. Since the vulnerability does not affect availability and requires specific library versions, the scope is constrained but still relevant for affected deployments.
Mitigation Recommendations
The primary mitigation is to upgrade the MicahParks jwkset library to version 0.6.0 or later, where the issue is fixed by implementing a full replacement of the cached JWK Set during refresh. Until an upgrade is feasible, organizations should disable the auto-caching HTTP client by setting HTTPClientStorageOptions.RefreshInterval to zero or not specifying it, forcing manual cache refreshes or the use of a custom caching implementation that ensures proper key removal. Additionally, organizations should audit their usage of the jwkset library to identify affected components and verify that key revocation processes are functioning correctly. Implementing monitoring to detect the use of revoked keys and enforcing strict key lifecycle management policies can further reduce risk. Finally, reviewing access controls to limit who can trigger cache refreshes or update keys will help contain potential exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-12-30T03:00:33.654Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6830d58c0acd01a249275509
Added to database: 5/23/2025, 8:07:40 PM
Last enriched: 7/8/2025, 9:01:05 PM
Last updated: 8/15/2025, 3:06:04 PM
Views: 22
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.