{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14813", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "state": "PUBLISHED", "assignerShortName": "bcorg", "dateReserved": "2025-12-17T00:17:44.229Z", "datePublished": "2026-04-15T08:56:34.057Z", "dateUpdated": "2026-04-15T13:19:49.520Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T10:08:52.068Z"}, "title": "GOSTCTR implementation unable to process more than 255 blocks correctly", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "type": "CWE"}]}], "affected": [{"vendor": "Legion of the Bouncy Castle Inc.", "product": "BC-JAVA", "platforms": ["all"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "packageName": "bcprov", "repo": "https://github.com/bcgit/bc-java", "modules": ["core"], "programFiles": ["G3413CTRBlockCipher"], "versions": [{"status": "affected", "version": "1.59", "lessThan": "1.84", "versionType": "maven"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.\n\nGOSTCTR implementation unable to process more than 255 blocks correctly.\n\n\nThis issue affects BC-JAVA: from 1.59 before 1.84.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules).<p> This vulnerability is associated with program files G3413CTRBlockCipher.</p><p>GOSTCTR implementation unable to process more than 255 blocks correctly.<br></p><p>This issue affects BC-JAVA: from 1.59 before 1.84.</p>"}]}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813", "tags": ["vendor-advisory"]}, {"url": "https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f", "tags": ["patch"]}, {"url": "https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "RED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red"}}], "credits": [{"lang": "en", "value": "XlabAI Team of Tencent Xuanwu Lab", "type": "finder"}, {"lang": "en", "value": "Atuin Automated Vulnerability Discovery Engine", "type": "finder"}, {"lang": "en", "value": "Lili Tang, Guannan Wang, and Guancheng Li", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:19:43.094033Z", "id": "CVE-2025-14813", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:19:49.520Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:19:43.094033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:19:45.930Z"}}], "cna": {"title": "GOSTCTR implementation unable to process more than 255 blocks correctly", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "XlabAI Team of Tencent Xuanwu Lab"}, {"lang": "en", "type": "finder", "value": "Atuin Automated Vulnerability Discovery Engine"}, {"lang": "en", "type": "finder", "value": "Lili Tang, Guannan Wang, and Guancheng Li"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bcgit/bc-java", "vendor": "Legion of the Bouncy Castle Inc.", "modules": ["core"], "product": "BC-JAVA", "versions": [{"status": "affected", "version": "1.59", "lessThan": "1.84", "versionType": "maven"}], "platforms": ["all"], "packageName": "bcprov", "programFiles": ["G3413CTRBlockCipher"], "collectionURL": "https://www.bouncycastle.org/download/bouncy-castle-java/", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813", "tags": ["vendor-advisory"]}, {"url": "https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f", "tags": ["patch"]}, {"url": "https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.\n\nGOSTCTR implementation unable to process more than 255 blocks correctly.\n\n\nThis issue affects BC-JAVA: from 1.59 before 1.84.", "supportingMedia": [{"type": "text/html", "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules).<p> This vulnerability is associated with program files G3413CTRBlockCipher.</p><p>GOSTCTR implementation unable to process more than 255 blocks correctly.<br></p><p>This issue affects BC-JAVA: from 1.59 before 1.84.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"}]}], "providerMetadata": {"orgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "shortName": "bcorg", "dateUpdated": "2026-04-15T10:08:52.068Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14813", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:19:49.520Z", "dateReserved": "2025-12-17T00:17:44.229Z", "assignerOrgId": "91579145-5d7b-4cc5-b925-a0262ff19630", "datePublished": "2026-04-15T08:56:34.057Z", "assignerShortName": "bcorg"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.\n\nGOSTCTR implementation unable to process more than 255 blocks correctly.\n\n\nThis issue affects BC-JAVA: from 1.59 before 1.84."}], "id": "CVE-2025-14813", "lastModified": "2026-04-15T11:16:32.363", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "91579145-5d7b-4cc5-b925-a0262ff19630", "type": "Secondary"}]}, "published": "2026-04-15T10:16:38.243", "references": [{"source": "91579145-5d7b-4cc5-b925-a0262ff19630", "url": "https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3"}, {"source": "91579145-5d7b-4cc5-b925-a0262ff19630", "url": "https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f"}, {"source": "91579145-5d7b-4cc5-b925-a0262ff19630", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813"}], "sourceIdentifier": "91579145-5d7b-4cc5-b925-a0262ff19630", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "91579145-5d7b-4cc5-b925-a0262ff19630", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all"], "status": "affected", "versions": {"scheme": "generic", "value": "[1.59,1.84)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "BC-JAVA", "source": "cna", "vendor": "Legion of the Bouncy Castle Inc."}, "product": "bc-java", "vendor": "bouncycastle"}], "analysis": {"en": {"generated_at": "2026-04-15T11:28:31.202464+00:00", "value": {"mitigation_remediation": ["Upgrade the BC-Java library to version 1.84 or later, which resolves the GOSTCTR block processing bug.", "Remove or replace any use of the GOSTCTR cipher beyond 255 blocks until a secure implementation is available.", "Conduct a code audit to identify all instances of the BC-Java library and verify that the upgraded version is deployed in production."], "summary": {"action": "Immediate Patch", "impact": "Cryptographic compromise"}, "threat_synthesis": {"affected_systems": "Products affected are BC-Java bcprov from version 1.59 up to but excluding 1.84. Organizations using these library versions must review deployment of the GOSTCTR cipher.\n", "description_and_impact": "A broken or risky cryptographic algorithm is used in the Legion of the Bouncy Castle Inc. BC-Java bcprov library. The GOSTCTR implementation fails to process more than 255 blocks correctly, which can undermine the security of data encrypted with this algorithm. The weakness is identified as a cryptographic algorithm weakness, allowing an adversary to potentially compromise confidentiality of data.\n", "risk_and_exploitability": "The CVSS score is 9.3, indicating a critical severity. There is no EPSS score available, and the vulnerability is not listed in the CISA KEV catalog. The exact attack vector is not described in the CVE data, but given the nature of the flaw it is inferred that an attacker could exploit the weak encryption to decrypt or forge data if the library is used for cryptographic operations.\n"}}}}, "created": "2026-04-15T13:49:14.859482+00:00", "updated": "2026-04-15T14:53:12.784493+00:00", "vendors": ["bouncycastle", "bouncycastle$PRODUCT$bc-java"]}