What is the security vulnerability in Ping Identity's PingAM Java Agent?

A critical security vulnerability tracked as CVE-2025-20059 (CVSS score 9.2) has been reported in Ping Identity's PingAM Java Agent. It is a Relative Path Traversal flaw that allows malicious actors to potentially manipulate URL paths to circumvent security policies.

Which versions of PingAM Java Agent are affected by CVE-2025-20059?

The vulnerability impacts multiple supported versions of PingAM Java Agent, including: PingAM Java Agent 2024.9 and earlier, PingAM Java Agent 2024.6 and earlier, PingAM Java Agent 2023.11.1 and earlier, and PingAM Java Agent 5.10.3 and earlier. The vulnerability could also be present in older unsupported versions.

What are the permanent fix options for the PingAM Java Agent vulnerability?

For a permanent fix, organizations should upgrade to one of the following patched versions: PingAM Java Agent 2024.11, PingAM Java Agent 2023.11.2, or PingAM Java Agent 5.10.4.

Advisory

Ping Identity reports critical flaw in PingAM Java Agent

published: Feb. 28, 2025

Take action: If you are using Ping Identity PingAM Java Agent, review the advisory in detail. If possible apply the mitigation configuration. Otherwise plan a quick patch, it seems that CISA is going to report this as exploited.

Learn More

A critical security vulnerability is reported in Ping Identity's PingAM Java Agent.

The flaw is tracked as CVE-2025-20059 (CVSS score 9.2) - a Relative Path Traversal flaw that allows malicious actors to potentially manipulate URL paths to circumvent security policies. While detailed technical specifications have been deliberately withheld to prevent exploitation, security analysis indicates the issue relates to how the agent processes incoming HTTP requests with semicolons in URL paths.

This vulnerability affects organizations using PingAM Java Agent with PingOne Advanced Identity Cloud integrations

The vulnerability impacts multiple supported versions of PingAM Java Agent, including:

PingAM Java Agent 2024.9 and earlier
PingAM Java Agent 2024.6 and earlier
PingAM Java Agent 2023.11.1 and earlier
PingAM Java Agent 5.10.3 and earlier

The vulnerability could also be present in older unsupported versions.

For immediate mitigation on PingAM Java Agent version 2024.9, administrators can add the following property assignment to the AgentBootstrap.properties file:

org.forgerock.agents.raw.url.path.invalidation.regex.list=;

This configuration will cause the agent to reject (with HTTP 400) any incoming URL whose path contains a semicolon. Ping Identity cautions that this workaround may disrupt legitimate workflows requiring semicolons in URLs, as the regular expression is only applied to the path and not query parameters.

For a permanent fix, organizations should upgrade to one of the following patched versions:

PingAM Java Agent 2024.11
PingAM Java Agent 2023.11.2
PingAM Java Agent 5.10.4

Cybersecurity and Infrastructure Security Agency (CISA) is expected to add CVE-2025-20059 to its Known Exploited Vulnerabilities Catalog soon, potentially mandating federal agencies to remediate the issue within 21 days.

PingOne Advanced Identity Cloud's core services remain unaffected, but customers using the Java Agent integration must act independently to secure their deployments.

Ping Identity reports critical flaw in PingAM Java Agent

Read More
JetBrains warns users of IntelliJ IDE flaw leaking …
Atlassian patches multple products, fixes critical dependency flaws …
Cisco patches critical flaw in Unified Communications Products
Solana fixes critical vulnerability in Token-2022 Program
GitLab patches multiple account takeover and injection vulnerabilities