CVE-2025-30204
jwt-go allows excessive memory allocation during header parsing
Severity Score
Exploit Likelihood
Affected Versions
2Public Exploits
0Exploited in Wild
-Decision
Descriptions
golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.
An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-03-18 CVE Reserved
- 2025-03-21 CVE Published
- 2025-03-24 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-405: Asymmetric Resource Consumption (Amplification)
CAPEC
References (4)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|