CVE-2025-22149: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

The project’s provided HTTP client’s local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario:

  1. An attacker has stolen the private key for a key published in JWK Set.
  2. The publishers of that JWK Set remove that key from the JWK Set.
  3. Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set.
  4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

References

Detect and mitigate CVE-2025-22149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →