CVE-2025-8885
Resource Allocation vulnerability in bcprov-jdk14 (Maven)

Resource Allocation No known exploit

What is CVE-2025-8885 About?

A resource allocation vulnerability exists in Bouncy Castle for Java (versions 1.0 through 1.77 and BC-FJA 1.0.0 through 2.0.0), specifically related to `ASN1ObjectIdentifier.java`. Attackers can cause excessive memory allocation through unbounded resource consumption, leading to a denial of service. Exploitation is likely straightforward by providing malformed input that triggers the flawed allocation.

Affected Software

  • org.bouncycastle:bcprov-jdk14
    • >1.0, <1.78
  • org.bouncycastle:bcprov-jdk15to18
    • >1.0, <1.78
  • org.bouncycastle:bcprov-jdk18on
    • >1.0, <1.78
  • org.bouncycastle:bctls-jdk14
    • >1.0, <1.78
  • org.bouncycastle:bctls-jdk15to18
    • >1.0, <1.78
  • org.bouncycastle:bctls-jdk18on
    • >1.0, <1.78
  • org.bouncycastle:bc-fips
    • >2.0.0, <2.0.1
    • >1.0.0, <1.0.2.6

Technical Details

The vulnerability in Bouncy Castle for Java is a resource allocation flaw affecting all API modules, specifically located in the ASN1ObjectIdentifier.java file within the core module. The issue arises from unbounded resource consumption where the component fails to properly limit the amount of memory allocated when processing certain inputs. An attacker can craft a malicious input, likely a malformed ASN.1 object identifier, that, when processed by the vulnerable versions of Bouncy Castle, causes the application to allocate an uncontrollably large amount of memory. This excessive memory allocation starves the system of resources, leading to a denial of service as the application crashes or becomes unresponsive.

What is the Impact of CVE-2025-8885?

Successful exploitation may allow attackers to cause a complete denial of service for any application or service relying on the vulnerable Bouncy Castle library, leading to system instability and unavailability.

What is the Exploitability of CVE-2025-8885?

Exploitation of this resource allocation vulnerability would involve supplying a specially crafted input that triggers the unbounded memory allocation in ASN1ObjectIdentifier.java. The complexity is likely low to moderate, as it mainly requires knowledge of ASN.1 object identifier structures and how to craft a malformed one that exploits the parsing logic. Authentication requirements depend on whether the application processes untrusted input through Bouncy Castle before or after authentication. Privilege requirements are typically none for triggering a DoS. This could be a remote attack if the affected application exposes a network-accessible component that processes ASN.1 data. The primary constraint is the use of vulnerable Bouncy Castle for Java versions (1.0-1.77 or BC-FJA 1.0.0-2.0.0). Risk factors are elevated if the application processes untrusted cryptographic inputs or certificates using the affected library.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-8885?

Available Upgrade Options

  • org.bouncycastle:bcprov-jdk14
    • >1.0, <1.78 → Upgrade to 1.78
  • org.bouncycastle:bctls-jdk14
    • >1.0, <1.78 → Upgrade to 1.78
  • org.bouncycastle:bctls-jdk18on
    • >1.0, <1.78 → Upgrade to 1.78
  • org.bouncycastle:bc-fips
    • >1.0.0, <1.0.2.6 → Upgrade to 1.0.2.6
  • org.bouncycastle:bc-fips
    • >2.0.0, <2.0.1 → Upgrade to 2.0.1
  • org.bouncycastle:bctls-jdk15to18
    • >1.0, <1.78 → Upgrade to 1.78
  • org.bouncycastle:bcprov-jdk15to18
    • >1.0, <1.78 → Upgrade to 1.78
  • org.bouncycastle:bcprov-jdk18on
    • >1.0, <1.78 → Upgrade to 1.78

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-8885?

Similar Vulnerabilities: CVE-2023-34042 , CVE-2022-42890 , CVE-2021-44754 , CVE-2020-13936 , CVE-2019-10202

All Rights reserved 2025
Privacy Policy