GHSA-4cx2-fc23-5wg6

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .

This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed_at": "2025-08-13T22:52:42Z",
    "severity": "MODERATE",
    "nvd_published_at": "2025-08-13T10:15:27Z"
}

References

Affected packages

Maven

org.bouncycastle:bcpkix-jdk15on

Package

Name: org.bouncycastle:bcpkix-jdk15on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcpkix-jdk15on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.44

Fixed

1.79

Affected versions

1.*

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.55

1.56

1.57

1.58

1.59

1.60

1.61

1.62

1.63

1.64

1.65

1.66

1.67

1.68

1.69

1.70

Database specific

{
    "last_known_affected_version_range": "<= 1.78"
}

org.bouncycastle:bcpkix-jdk15to18

Package

Name: org.bouncycastle:bcpkix-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.44

Fixed

1.79

Affected versions

1.*

1.63

1.64

1.65

1.66

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

1.78

1.78.1

Database specific

{
    "last_known_affected_version_range": "<= 1.78"
}

org.bouncycastle:bcpkix-jdk18on

Package

Name: org.bouncycastle:bcpkix-jdk18on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.44

Fixed

1.79

Affected versions

1.*

1.71

1.71.1

1.72

1.73

1.74

1.75

1.76

1.77

1.78

1.78.1

Database specific

{
    "last_known_affected_version_range": "<= 1.78"
}

org.bouncycastle:bcpkix-fips

Package

Name: org.bouncycastle:bcpkix-fips; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcpkix-fips

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.8

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

Database specific

{
    "last_known_affected_version_range": "<= 1.0.7"
}

org.bouncycastle:bcpkix-fips

Package

Name: org.bouncycastle:bcpkix-fips; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcpkix-fips

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.8

Affected versions

2.*

2.0.7

Database specific

{
    "last_known_affected_version_range": "<= 2.0.7"
}