CVE-2025-30204 - Vulnerability Details

golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

No data.

References

Link	Providers
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
https://nvd.nist.gov/vuln/detail/CVE-2025-30204
https://www.cve.org/CVERecord?id=CVE-2025-30204

History

Mon, 24 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-30204 https://www.cve.org/CVERecord?id=CVE-2025-30204
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 21 Mar 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Title		jwt-go allows excessive memory allocation during header parsing
Weaknesses		CWE-405
References		https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-03-21T21:42:01.382Z

Updated: 2025-03-24T14:10:35.776Z

Reserved: 2025-03-18T18:15:13.849Z

Link: CVE-2025-30204

Vulnrichment

Updated: 2025-03-24T14:10:25.565Z

NVD

Status : Received

Published: 2025-03-21T22:15:26.420

Modified: 2025-03-21T22:15:26.420

Link: CVE-2025-30204

Redhat

Severity : Important

Publid Date: 2025-03-21T21:42:01Z

Links: CVE-2025-30204 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object