CVE-2025-22854
CVE-2025-22854 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-394.
Key facts
- Severity: Medium (CVSS 4.0 base score 6.9)
- EPSS exploit prediction: 0% (21st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-18340
- Weakness: CWE-394
- Published:
- Last modified:
Description
Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.
Frequently asked questions
- What is CVE-2025-22854?
- Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.
- How severe is CVE-2025-22854?
- CVE-2025-22854 has a CVSS 4.0 base score of 6.9, rated medium severity.
- Is CVE-2025-22854 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-22854?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-22854 have an EU (EUVD) identifier?
- Yes. CVE-2025-22854 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-18340.
- When was CVE-2025-22854 published?
- CVE-2025-22854 was published on 2025-06-15 and last updated on 2026-06-17.
References
- https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html
- https://www.pingidentity.com/en/resources/downloads/pingfederate.html
Other CWE-394 vulnerabilities
- CVE-2025-12516 — Critical (CVSS 9.8): Lack of Graceful Error Handling - HTTP 5xx ErrorThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
- CVE-2025-12515 — Critical (CVSS 9.8): Systemic Internal Server Errors - HTTP 500 ResponseThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
- CVE-2026-25085 — High (CVSS 8.6): A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the…
- CVE-2019-0066 — High (CVSS 7.5): An unexpected status return value weakness in the Next-Generation Multicast VPN (NG-mVPN) service of Juniper Networks…
- CVE-2025-23013 — High (CVSS 7.3): In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable…
- CVE-2025-48510 — High (CVSS 7.1): Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of…