GHSA-67mf-3cr5-8w23

Suggest an improvement
Source
https://github.com/advisories/GHSA-67mf-3cr5-8w23
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-67mf-3cr5-8w23/GHSA-67mf-3cr5-8w23.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-67mf-3cr5-8w23
Aliases
Downstream
Related
Published
2025-08-12T12:30:32Z
Modified
2025-09-03T13:29:41.740857Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber CVSS Calculator
Summary
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
Details

A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulnerability allows attackers to cause excessive memory allocation through unbounded resource consumption, potentially leading to denial of service. The issue is located in the ASN1ObjectIdentifier.java file in the core module.

This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T19:36:18Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-770"
    ],
    "nvd_published_at": "2025-08-12T10:15:26Z"
}
References

Affected packages

Maven

org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.78

Affected versions

1.*

1.38
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bctls-jdk14

Package

Name
org.bouncycastle:bctls-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.78

Affected versions

1.*

1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bctls-jdk15to18

Package

Name
org.bouncycastle:bctls-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bctls-jdk18on

Package

Name
org.bouncycastle:bctls-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bc-fips

Package

Name
org.bouncycastle:bc-fips
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bc-fips

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.0.2.6

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.2.1
1.0.2.3
1.0.2.4
1.0.2.5

org.bouncycastle:bc-fips

Package

Name
org.bouncycastle:bc-fips
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bc-fips

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.1

Affected versions

2.*

2.0.0