How severe is CVE-2025-22149?

This vulnerability has a severity rating of LOW with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-22149?

This is classified as CWE-672, which is a common weakness in software security.

CVE-2025-22149 - LOW Severity | CVSS N/A

Vulnerability Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

Related Vulnerabilities

CVE-2020-12043

CRITICAL

CVSS:9.8(Critical)

The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24) when configured for wireless networking the FTP service operating on the WBM remains operational until the WBM is rebooted.

CWE-6722020

CVE-2020-24030

CRITICAL

CVSS:9.8(Critical)

ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse.

CWE-6722020

CVE-2024-47571

CRITICAL

CVSS:9.8(Critical)

An operation on a resource after expiration or release in Fortinet FortiManager 6.4.12 through 7.4.0 allows an attacker to gain improper access to FortiGate via valid credentials.

CWE-6722024

CVE-2019-17638

CRITICAL

CVSS:9.4(Critical)

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer contai...

CWE-6722019

CVE-2021-23995

HIGH

CVSS:8.8(High)

When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnera...

CWE-6722021

CVE-2022-22755

HIGH

CVSS:8.8(High)

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was c...

CWE-6722022