CVE-2025-22868 - Vulnerability Details

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Acm Advanced Cluster Security Gatekeeper

No data.

Package	CPE	Advisory	Released Date
gatekeeper 3.15 for RHEL 9
gatekeeper/gatekeeper-operator-bundle:v3.15.4-1	cpe:/a:redhat:gatekeeper:3.15::el9	RHSA-2025:3053	2025-03-20T00:00:00Z
gatekeeper/gatekeeper-rhel9:v3.15.1-30	cpe:/a:redhat:gatekeeper:3.15::el9	RHSA-2025:3053	2025-03-20T00:00:00Z
gatekeeper/gatekeeper-rhel9-operator:v3.15.4-1	cpe:/a:redhat:gatekeeper:3.15::el9	RHSA-2025:3053	2025-03-20T00:00:00Z
gatekeeper 3.17 for RHEL 9
gatekeeper/gatekeeper-operator-bundle:v3.17.2-2	cpe:/a:redhat:gatekeeper:3.17::el9	RHSA-2025:3051	2025-03-20T00:00:00Z
gatekeeper/gatekeeper-rhel9:v3.17.2-5	cpe:/a:redhat:gatekeeper:3.17::el9	RHSA-2025:3051	2025-03-20T00:00:00Z
gatekeeper/gatekeeper-rhel9-operator:v3.17.2-4	cpe:/a:redhat:gatekeeper:3.17::el9	RHSA-2025:3051	2025-03-20T00:00:00Z
Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9
rhacm2/volsync-operator-bundle:v0.12.1-2	cpe:/a:redhat:acm:2.13::el9	RHSA-2025:3172	2025-03-25T00:00:00Z
rhacm2/volsync-rhel9:v0.12.1-2	cpe:/a:redhat:acm:2.13::el9	RHSA-2025:3172	2025-03-25T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-central-db-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.7-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:2526	2025-03-10T00:00:00Z
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-central-db-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.6.3-3	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.3-3	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z
rhacs-scanner-db-slim-container-4.6.3-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:2567	2025-03-10T00:00:00Z

References

Link	Providers
https://go.dev/cl/652155
https://go.dev/issue/71490
https://nvd.nist.gov/vuln/detail/CVE-2025-22868
https://pkg.go.dev/vuln/GO-2025-3488
https://www.cve.org/CVERecord?id=CVE-2025-22868

History

Wed, 26 Mar 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat acm
CPEs		cpe:/a:redhat:acm:2.13::el9
Vendors & Products		Redhat acm

Thu, 20 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat gatekeeper
CPEs		cpe:/a:redhat:gatekeeper:3.15::el9 cpe:/a:redhat:gatekeeper:3.17::el9
Vendors & Products		Redhat gatekeeper

Tue, 11 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat advanced Cluster Security
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8 cpe:/a:redhat:advanced_cluster_security:4.6::el8
Vendors & Products		Redhat Redhat advanced Cluster Security

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 28 Feb 2025 02:00:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-22868 https://www.cve.org/CVERecord?id=CVE-2025-22868
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 26 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1286
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 26 Feb 2025 03:15:00 +0000

Type	Values Removed	Values Added
Description		An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Title		Unexpected memory consumption during token parsing in golang.org/x/oauth2
References		https://go.dev/cl/652155 https://go.dev/issue/71490 https://pkg.go.dev/vuln/GO-2025-3488

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2025-02-26T03:07:49.012Z

Updated: 2025-02-26T14:46:20.671Z

Reserved: 2025-01-08T19:11:42.834Z

Link: CVE-2025-22868

Vulnrichment

Updated: 2025-02-26T14:45:55.061Z

NVD

Status : Received

Published: 2025-02-26T08:14:24.897

Modified: 2025-02-26T15:15:24.993

Link: CVE-2025-22868

Redhat

Severity : Important

Publid Date: 2025-02-26T03:07:49Z

Links: CVE-2025-22868 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object