CVE‐2025‐8885

Possible DOS in processing specially formed ASN.1 Object Identifiers

Issue affecting: BC Java 1.00 to 1.77, BC-FJA 1.0.0 to BC-FJA 1.0.2.5, BC-FJA 2.0.0

Fixed versions: BC Java 1.78, BC-FJA 1.0.2.6, BC-FJA 2.0.1

Platform affected: All JVMs.

Creation of ASN.1 OIDs from encodings was uncapped, other than the maximum size of an ASN1Object. While, strictly speaking this is valid, it could be used for a DOS attack. In following the practice of other providers we have adopted a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string.

Issue does not apply to applications which do not consume unvetted, or otherwise unvalidated, ASN.1 encodings. Issue can be mitigated by placing a cap on the size of ASN.1 encodings that can be consumed from external sources in the "the wild", or by introducing some form of validation for such objects.

Fix Commit:

https://github.com/bcgit/bc-java/commit/3790993df5d28f661a64439a8664343437ed3865

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE‐2025‐8885

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally