VDB
GO-2025-3376
GO-2025-3376
PUBLISHED
JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh in github.com/MicahParks/jwkset
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | MicahParks/jwkset | 0.5.0, 0.5.0 |
Timeline
- Jan 9, 2025 CVE Published
- Mar 3, 2026 CVE Updated
- May 1, 2026 Security Advisory
References
- https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22149 advisory
- https://github.com/MicahParks/jwkset/commit/01db49a90f7f20c7fb39a699a2f19a7a5f379ed3 patch
- https://github.com/MicahParks/jwkset/pull/41 patch
- https://github.com/MicahParks/jwkset/issues/40 report