Bug 2387790 (CVE-2025-8885) - CVE-2025-8885 bouncycastle: Bouncy Castle denial of service parsing ASN.1 Object Identifiers [NEEDINFO]
Summary: CVE-2025-8885 bouncycastle: Bouncy Castle denial of service parsing ASN.1 Obj...
Keywords:
Status: NEW
Alias: CVE-2025-8885
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2388023 2388028 2388032 2388033 2388022 2388024 2388025 2388026 2388027 2388029 2388030 2388031 2388034
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-12 10:01 UTC by OSIDB Bzimport
Modified: 2025-09-03 08:28 UTC (History)
102 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
redhat-bugzilla: needinfo? (jmoroney)

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-12 10:01:24 UTC 
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java.

This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0.
Comment 2 Robert Scheck 2025-08-12 20:02:45 UTC 
Jon, why did you file a report against the pdftk-java RPM package? The security flaw is in the bouncycastle RPM package, if I am not completely mistaken…
Note You need to log in before you can comment on or make changes to this bug.