JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh in github.com/MicahParks/jwkset

Overview

Source
ID
GO-2025-3376
Aliases
CVE-2025-22149
GHSA-675f-rq2r-jw82
Affected package

Description

JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh in github.com/MicahParks/jwkset

Impact

Reference links

Summary

108
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
26
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
<0.01%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
github.com/MicahParks/jwkset
Affected Version: Introduced: 0.5.0, Fixed: 0.6.0
Patched/Unaffected
v0.0.1
v0.1.0
v0.1.1
v0.1.2
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.3.0
v0.3.1
v0.3.2-0.20231205231409-8786292b6646
v0.4.0
v0.6.0
v0.7.0
v0.8.0
v0.8.1-0.19700101000000-df24421c392b
Affected
v0.5.21
v0.5.20
v0.5.19
v0.5.18
v0.5.17
v0.5.16
v0.5.15
v0.5.14
v0.5.13
v0.5.12
v0.5.11
v0.5.10
v0.5.9
v0.5.8
v0.5.7
v0.5.6
v0.5.5
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5.0