CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30204 – jwt-go allows excessive memory allocation during header parsing
https://notcve.org/view.php?id=CVE-2025-30204
21 Mar 2025 — golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is ... • https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 • CWE-405: Asymmetric Resource Consumption (Amplification) •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51744 – Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
https://notcve.org/view.php?id=CVE-2024-51744
04 Nov 2024 — golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fi... • https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7037
https://notcve.org/view.php?id=CVE-2016-7037
23 Jan 2017 — The verify function in Encryption/Symmetric.php in Malcolm Fell jwt before 1.0.3 does not use a timing-safe function for hash comparison, which allows attackers to spoof signatures via a timing attack. La función de verificación en Encryption/Symmetric.php en Malcolm Fell jwt en versiones anteriores a 1.0.3 no utiliza una función segura de temporización para la comparación de hash, lo que permite a los atacantes suplantar firmas a través de un ataque de temporización. • http://www.securityfocus.com/bid/95847 • CWE-361: 7PK - Time and State •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-2951
https://notcve.org/view.php?id=CVE-2015-2951
05 Jun 2015 — JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens. JWT.php en F21 JWT anterior a 2.0 permite a atacantes remotos evadir la verificación de firmas a través de tokens manipulados. • http://jvn.jp/en/jp/JVN06120222/index.html • CWE-20: Improper Input Validation •