CVE-2025-8885: 
Java vulnerability analysis and mitigation

A resource exhaustion vulnerability (CVE-2025-8885) was discovered in the Bouncy Castle for Java library, affecting versions BC 1.0 through 1.77 and BC-FJA 1.0.0 through 2.0.0. The vulnerability is related to the uncapped creation of ASN.1 Object Identifiers from encodings, which could potentially lead to excessive resource allocation (BC Wiki).

The vulnerability is classified as an Allocation of Resources Without Limits or Throttling (CWE-770) issue. The flaw exists in the ASN1ObjectIdentifier.java component, where the creation of ASN.1 OIDs from encodings was uncapped, limited only by the maximum size of an ASN1Object. The vulnerability has received a CVSS 4.0 Base Score of 6.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber (NVD).

The vulnerability could be exploited for Denial of Service (DoS) attacks through specially crafted ASN.1 encodings. The impact is particularly relevant for applications that consume unvetted or unvalidated ASN.1 encodings (BC Wiki).

The vulnerability has been fixed in BC Java 1.78 and BC-FJA 2.0.1 by implementing a limit of 4096 bytes on the size of an encoded identifier and a cap of 16385 characters on an identifier string. For affected versions, mitigation can be achieved by placing a cap on the size of ASN.1 encodings consumed from external sources or by introducing validation for such objects (BC Wiki).