CVE-2025-22149

CVE-2025-22149 is a low-severity vulnerability with a CVSS 4.0 base score of 2.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-672.

Key facts

Description

JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).

Frequently asked questions

What is CVE-2025-22149?
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
How severe is CVE-2025-22149?
CVE-2025-22149 has a CVSS 4.0 base score of 2.1, rated low severity.
Is CVE-2025-22149 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-22149?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-22149 have an EU (EUVD) identifier?
Yes. CVE-2025-22149 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-0011.
When was CVE-2025-22149 published?
CVE-2025-22149 was published on 2025-01-09 and last updated on 2026-06-17.

References

Other CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities

Browse all CWE-672 (Operation on a Resource after Expiration or Release) vulnerabilities →