CVE-2025-8885
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
Description
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java . This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
How to fix CVE-2025-8885
To remediate CVE-2025-8885, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 1.0.2.6 or later
- —upgrade to 1.78 or later
- —upgrade to 1.78 or later
- —upgrade to 1.78 or later
- —upgrade to 1.78 or later
- —upgrade to 1.78 or later
- —upgrade to 1.78 or later
Is CVE-2025-8885 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (8)
- from 0
- >= 1.0.0, < 1.0.2.6
- >= 1.0, < 1.78
- >= 1.0, < 1.78
- >= 1.0, < 1.78
- >= 1.0, < 1.78
- >= 1.0, < 1.78
- >= 1.0, < 1.78
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber |