Dependency maven:org.bouncycastle:bcprov-jdk18on:1.78 is vulnerable

[bex1111]

Hi!
There is a vulnerability in latest version dependency.
Details:

Dependency maven:org.bouncycastle:bcprov-jdk18on:1.78 is vulnerable

Update to unaffected version 1.78.1

CVE-2025-8916, Score: 5.3

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.

Read More: https://www.mend.io/vulnerability-database/CVE-2025-8916

Results powered by Mend.io

[theo-s68]

Hello,

By any chance do you know which dependency is using bcprov-jdk18on:1.78 ?

I checked the dependency tree and version 1.80 is used:

mvn dependency:tree | grep 'bcprov-jdk18on' | uniq
[INFO] |     \- org.bouncycastle:bcprov-jdk18on:jar:1.80:compile

Thank you

[bex1111]

Yes, the current code of the library doesn't contain it. You should push a new version to https://mvnrepository.com/artifact/io.github.binance/binance-connector-java. Because 3.4.1 contains this vulnerability.