golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00025}

epss

{'score': 0.00027}


Thu, 26 Jun 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.15::el9

Thu, 26 Jun 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Api Data Protection
CPEs cpe:/a:redhat:openshift_api_data_protection:1.3::el9
Vendors & Products Redhat openshift Api Data Protection

Tue, 24 Jun 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:multicluster_globalhub:1.2::el9

Wed, 18 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
References

Tue, 17 Jun 2025 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_distributed_tracing:3.6::el8

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhmt
CPEs cpe:/a:redhat:acm:2.13::el9
cpe:/a:redhat:acm:2.9::el8
cpe:/a:redhat:openshift_data_foundation:4.15::el9
cpe:/a:redhat:openshift_data_foundation:4.16::el9
cpe:/a:redhat:rhmt:1.8::el8
Vendors & Products Redhat rhmt

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat multicluster Globalhub
CPEs cpe:/a:redhat:multicluster_engine:2.4::el8
cpe:/a:redhat:multicluster_globalhub:1.4::el9
Vendors & Products Redhat multicluster Globalhub

Thu, 29 May 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:openshift_gitops:1.14::el8
cpe:/a:redhat:rhel_e4s:9.0
Vendors & Products Redhat rhel E4s

Wed, 28 May 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Devspaces
CPEs cpe:/a:redhat:openshift_devspaces:3::el9
Vendors & Products Redhat openshift Devspaces

Thu, 22 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_data_foundation:4.17::el9
cpe:/a:redhat:rhel_eus:8.8

Tue, 20 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Fri, 16 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Gitops
CPEs cpe:/a:redhat:openshift:4.13::el8
cpe:/a:redhat:openshift_gitops:1.15::el8
Vendors & Products Redhat openshift Gitops

Wed, 14 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Sat, 10 May 2025 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.12::el8

Thu, 08 May 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:acm:2.11::el9

Tue, 06 May 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat multicluster Engine
Redhat openshift Data Foundation
CPEs cpe:/a:redhat:acm:2.10::el9
cpe:/a:redhat:multicluster_engine:2.5::el8
cpe:/a:redhat:openshift_data_foundation:4.18::el9
Vendors & Products Redhat multicluster Engine
Redhat openshift Data Foundation

Tue, 29 Apr 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat acm
CPEs cpe:/a:redhat:acm:2.12::el9
Vendors & Products Redhat acm

Fri, 25 Apr 2025 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Builds
CPEs cpe:/a:redhat:openshift_builds:1.2::el9
cpe:/a:redhat:openshift_builds:1.3::el9
Vendors & Products Redhat openshift Builds

Wed, 23 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.16::el9

Fri, 18 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Custom Metrics Autoscaler
CPEs cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.15::el9
Vendors & Products Redhat openshift Custom Metrics Autoscaler

Thu, 17 Apr 2025 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.15::el8

Thu, 17 Apr 2025 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat logging
CPEs cpe:/a:redhat:logging:5.9::el9
cpe:/a:redhat:logging:6.0::el9
cpe:/a:redhat:logging:6.1::el9
Vendors & Products Redhat logging

Wed, 16 Apr 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat advanced Cluster Security
CPEs cpe:/a:redhat:advanced_cluster_security:4.5::el8
cpe:/a:redhat:advanced_cluster_security:4.6::el8
cpe:/a:redhat:advanced_cluster_security:4.7::el8
Vendors & Products Redhat advanced Cluster Security

Fri, 11 Apr 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat trusted Artifact Signer
CPEs cpe:/a:redhat:openshift:4.18::el9
cpe:/a:redhat:trusted_artifact_signer:1.1::el9
Vendors & Products Redhat trusted Artifact Signer

Thu, 10 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.14::el8

Thu, 10 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
References

Wed, 09 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift
CPEs cpe:/a:redhat:openshift:4.17::el9
Vendors & Products Redhat openshift

Mon, 07 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Sat, 05 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Distributed Tracing
CPEs cpe:/a:redhat:openshift_distributed_tracing:3.5::el8
Vendors & Products Redhat openshift Distributed Tracing

Sat, 05 Apr 2025 00:45:00 +0000

Type Values Removed Values Added
References

Sat, 05 Apr 2025 00:15:00 +0000

Type Values Removed Values Added
References

Sat, 05 Apr 2025 00:00:00 +0000

Type Values Removed Values Added
References

Wed, 02 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat cryostat
CPEs cpe:/a:redhat:cryostat:4::el9
Vendors & Products Redhat cryostat

Fri, 28 Mar 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 24 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Fri, 21 Mar 2025 21:45:00 +0000

Type Values Removed Values Added
Description golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Title jwt-go allows excessive memory allocation during header parsing
Weaknesses CWE-405
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-04-10T13:03:19.897Z

Reserved: 2025-03-18T18:15:13.849Z

Link: CVE-2025-30204

cve-icon Vulnrichment

Updated: 2025-04-04T23:03:13.309Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-03-21T22:15:26.420

Modified: 2025-04-10T13:15:52.097

Link: CVE-2025-30204

cve-icon Redhat

Severity : Important

Publid Date: 2025-03-21T21:42:01Z

Links: CVE-2025-30204 - Bugzilla

cve-icon OpenCVE Enrichment

No data.