PingFederate 12.2.5 (August 2025)

Resolved issues

Admin console IP exposure

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract the PingFederate administrative console’s IP address through HTTP Response headers.

Host header redirect

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

PingFederate error messaging

Fixed PF-36991

We’ve fixed an issue by adding a missing property to pingfederate-messages.properties.

JARM response with `error` parameter

Fixed PF-37688

We’ve fixed a defect where JARM responses with an error parameter caused PingFederate to return a 500 error. It now returns a 200 response with the appropriate error page.

ATM configuration error

Fixed PF-37716

We’ve fixed a defect that caused an error in PingFederate when configuring an access token manager if the administrative node (ATM) isn’t the coordinator node.

SNI extension error in BCFIPS mode

Fixed PF-37793

PingFederate now always includes the SNI extension in the ClientHello message during a TLS handshake when running in BCFIPS mode.

Wildcard TLS certificate error in BCFIPS mode

Fixed PF-37794

We’ve fixed a defect where PingFederate was refusing wildcard TLS certificates when running in BCFIPS mode.

`ClassNotFoundException` error

Fixed PF-37819

We’ve fixed an issue that could cause ClassNotFoundException on the admin console.

JWT API authentication method

Fixed PF-37841

We’ve added JWT as an authentication method for the admin API during upgrade utility validation.

PingFederate Server