CVE-2025-14813 - Critical Severity Vulnerability
Vulnerable Library - bcprov-jdk18on-1.80.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains the JCA/JCE provider and low-level API for the BC Java version 1.80 for Java 8 and later.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk18on/1.80/e22100b41042decf09cab914a5af8d2c57b5ac4a/bcprov-jdk18on-1.80.jar
Dependency Hierarchy:
- bcpg-jdk18on-1.80.jar (Root Library)
- ❌ bcprov-jdk18on-1.80.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.
GOSTCTR implementation unable to process more than 255 blocks correctly.
This issue affects BC-JAVA: from 1.59 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2025-14813
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution (org.bouncycastle:bcprov-jdk18on): 1.84
Direct dependency fix Resolution (org.bouncycastle:bcpg-jdk18on): 1.84
Step up your Open Source Security Game with Mend here
CVE-2025-14813 - Critical Severity Vulnerability
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains the JCA/JCE provider and low-level API for the BC Java version 1.80 for Java 8 and later.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk18on/1.80/e22100b41042decf09cab914a5af8d2c57b5ac4a/bcprov-jdk18on-1.80.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.
GOSTCTR implementation unable to process more than 255 blocks correctly.
This issue affects BC-JAVA: from 1.59 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2025-14813
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution (org.bouncycastle:bcprov-jdk18on): 1.84
Direct dependency fix Resolution (org.bouncycastle:bcpg-jdk18on): 1.84
Step up your Open Source Security Game with Mend here