Bouncy Castle Java DoS via Unbounded Allocation in ASN1ObjId (1.0-1.77)
CVE-2025-8885 Published on August 12, 2025
Possible DOS in processing specially formed ASN.1 Object Identifiers
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BC-FJA bc-fips on All allows Excessive Allocation. This vulnerability is associated with program files https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdenti... https://github.com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java .
This issue affects BC Java: from 1.0 through 1.77; BC-FJA: from 1.0.0 through 1.0.2.5, from 2.0.0 through 2.0.1.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2025-8885
stack.watch emails you whenever new vulnerabilities are published in Bouncycastle Bc Java or Oracle. Just hit a watch button to start following.
Affected Versions
Legion of the Bouncy Castle Inc. BC Java:- Version 1.0, <= 1.77 is affected.
- Version 1.0.0, <= 1.0.2.5 is affected.
- Version 2.0.0, <= 2.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.