CVE-2025-21085: 
PingFederate vulnerability analysis and mitigation

PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization. This vulnerability was discovered and assigned CVE-2025-21085, with the initial disclosure date of June 15, 2025. The vulnerability specifically affects PingFederate's OAuth2 implementation when using PostgreSQL for persistent storage (NVD, Wiz).

The vulnerability has been assigned a CVSS 4.0 Base Score of 2.1 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber. The issue specifically relates to grant attribute duplication within the PostgreSQL persistent storage mechanism, which can lead to excessive memory consumption during OAuth2 request processing (NVD).

The primary impact of this vulnerability is related to availability, where affected systems may experience excessive memory utilization during OAuth2 request processing. This could potentially lead to degraded performance or service disruption in PingFederate deployments using PostgreSQL for persistent storage (Wiz).

Affected users can find mitigation information and updates through the official PingFederate download page and support portal. Ping Identity has provided specific guidance regarding the grant attribute duplication issue with PostgreSQL (PingFederate Downloads, Ping Support).