Allocation of Resources Without Limits or Throttling in org.bouncycastle:bcprov-jdk15to18 | CVE-2025-8885

Q: How to fix?

Upgrade org.bouncycastle:bcprov-jdk15to18 to version 1.78 or higher.

Introduced: 12 Aug 2025

NewCVE-2025-8885 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade org.bouncycastle:bcprov-jdk15to18 to version 1.78 or higher.

Overview

org.bouncycastle:bcprov-jdk15to18 is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.

Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting org.bouncycastle:bcprov-jdk15to18 package, versions [,1.78)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 12 Aug 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk