CWE-462
Duplicate Key in Associative List (Alist)
Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.
CVE-2025-21085 (GCVE-0-2025-21085)
Vulnerability from cvelistv5 – Published: 2025-06-15 14:25 – Updated: 2025-06-16 18:08
VLAI
Title
PingFederate OAuth Grant attribute duplication may use excessive memory
Summary
PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-462 - Duplicate Key in Associative List
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://support.pingidentity.com/s/article/PingFe… | mitigation |
| https://www.pingidentity.com/en/resources/downloa… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ping Identity | PingFederate |
Affected:
12.2.0 , < 12.2.4
(custom)
Affected: 12.1.0 , < 12.1.9 (custom) Affected: 12.0 , < 12.0.9 (custom) Affected: 11.3.0 , < 11.3.13 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T18:08:12.829414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T18:08:20.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"PostgreSQL"
],
"platforms": [
"Windows",
"Linux"
],
"product": "PingFederate",
"vendor": "Ping Identity",
"versions": [
{
"lessThan": "12.2.4",
"status": "affected",
"version": "12.2.0",
"versionType": "custom"
},
{
"lessThan": "12.1.9",
"status": "affected",
"version": "12.1.0",
"versionType": "custom"
},
{
"lessThan": "12.0.9",
"status": "affected",
"version": "12.0",
"versionType": "custom"
},
{
"lessThan": "11.3.13",
"status": "affected",
"version": "11.3.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."
}
],
"value": "PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:P/AU:Y/R:A/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-462",
"description": "CWE-462 Duplicate Key in Associative List",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-15T14:25:39.067Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"tags": [
"mitigation"
],
"url": "https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL"
},
{
"tags": [
"patch"
],
"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PingFederate OAuth Grant attribute duplication may use excessive memory",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Configuration options to mitigate:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimum Interval to Roll Refresh Tokens\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRefresh Token Rolling Grace Period (Seconds)\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Configuration options to mitigate:\n * Minimum Interval to Roll Refresh Tokens\n * Refresh Token Rolling Grace Period (Seconds)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2025-21085",
"datePublished": "2025-06-15T14:25:39.067Z",
"dateReserved": "2025-04-16T01:21:55.198Z",
"dateUpdated": "2025-06-16T18:08:20.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Use a hash table instead of an alist.
Mitigation
Phase: Architecture and Design
Description:
- Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.
No CAPEC attack patterns related to this CWE.