CVE-2025-22854 - Vulnerability Details - OpenCVE

Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00063.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html
https://www.pingidentity.com/en/resources/downloads/pingfederate.html

History

Mon, 16 Jun 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 15 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
Description		Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions.
Title		Possible thread exhaustion from processing http responses in PingFederate Google Adapter
Weaknesses		CWE-394
References		https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html https://www.pingidentity.com/en/resources/downloads/pingfederate.html
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:P/AU:Y/R:A/RE:M/U:Red'}`

MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published: 2025-06-15T15:00:06.010Z

Updated: 2025-06-16T18:07:39.037Z

Reserved: 2025-01-13T16:41:43.959Z

Link: CVE-2025-22854

Vulnrichment

Updated: 2025-06-16T18:07:34.999Z

NVD

Status : Awaiting Analysis

Published: 2025-06-15T15:15:19.150

Modified: 2025-06-16T12:32:18.840

Link: CVE-2025-22854

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22854", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "state": "PUBLISHED", "assignerShortName": "Ping Identity", "dateReserved": "2025-01-13T16:41:43.959Z", "datePublished": "2025-06-15T15:00:06.010Z", "dateUpdated": "2025-06-16T18:07:39.037Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Google Adapter", "platforms": ["Windows", "Linux"], "product": "PingFederate", "vendor": "Ping Identity", "versions": [{"lessThan": "1.5.2", "status": "affected", "version": "1.0.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper handling of non-200 http responses in<span style=\"background-color: rgb(255, 255, 255);\"> the PingFederate Google Adapter</span> leads to thread exhaustion under normal usage conditions."}], "value": "Improper handling of non-200 http responses in\u00a0the PingFederate Google Adapter\u00a0leads to thread exhaustion under normal usage conditions."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}, {"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469 HTTP DoS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:P/AU:Y/R:A/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-394", "description": "CWE-394 Unexpected Status Code or Return Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2025-06-15T15:00:06.010Z"}, "references": [{"tags": ["patch"], "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"}, {"tags": ["release-notes"], "url": "https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html"}], "source": {"advisory": "SECADV048", "defect": ["IK-3678"], "discovery": "USER"}, "title": "Possible thread exhaustion from processing http responses in PingFederate Google Adapter", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T18:07:24.657856Z", "id": "CVE-2025-22854", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T18:07:39.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22854", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T18:07:24.657856Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T18:07:34.999Z"}}], "cna": {"title": "Possible thread exhaustion from processing http responses in PingFederate Google Adapter", "source": {"defect": ["IK-3678"], "advisory": "SECADV048", "discovery": "USER"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}, {"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469 HTTP DoS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 6.9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:P/AU:Y/R:A/RE:M/U:Red", "providerUrgency": "RED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ping Identity", "product": "PingFederate", "versions": [{"status": "affected", "version": "1.0.1", "lessThan": "1.5.2", "versionType": "custom"}], "platforms": ["Windows", "Linux"], "packageName": "Google Adapter", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html", "tags": ["patch"]}, {"url": "https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper handling of non-200 http responses in\u00a0the PingFederate Google Adapter\u00a0leads to thread exhaustion under normal usage conditions.", "supportingMedia": [{"type": "text/html", "value": "Improper handling of non-200 http responses in<span style=\"background-color: rgb(255, 255, 255);\"> the PingFederate Google Adapter</span> leads to thread exhaustion under normal usage conditions.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-394", "description": "CWE-394 Unexpected Status Code or Return Value"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2025-06-15T15:00:06.010Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22854", "state": "PUBLISHED", "dateUpdated": "2025-06-16T18:07:39.037Z", "dateReserved": "2025-01-13T16:41:43.959Z", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "datePublished": "2025-06-15T15:00:06.010Z", "assignerShortName": "Ping Identity"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of non-200 http responses in\u00a0the PingFederate Google Adapter\u00a0leads to thread exhaustion under normal usage conditions."}, {"lang": "es", "value": "El control inadecuado de respuestas http distintas de 200 en el adaptador de Google PingFederate provoca el agotamiento del hilo en condiciones de uso normales."}], "id": "CVE-2025-22854", "lastModified": "2025-06-16T12:32:18.840", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:A/V:X/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}, "published": "2025-06-15T15:15:19.150", "references": [{"source": "responsible-disclosure@pingidentity.com", "url": "https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html"}, {"source": "responsible-disclosure@pingidentity.com", "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"}], "sourceIdentifier": "responsible-disclosure@pingidentity.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-394"}], "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}