CVE-2025-30204

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30204

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30204.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30204

Aliases

Related

UBUNTU-CVE-2025-30204

Published

2025-03-21T22:15:26Z

Modified

2025-03-26T17:54:41.024281Z

Summary

[none]

Details

golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

References

Affected packages

Debian:12 / golang-github-golang-jwt-jwt

Package

Name: golang-github-golang-jwt-jwt
Purl: pkg:deb/debian/golang-github-golang-jwt-jwt?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.3-1

5.*

5.0.0-1

5.0.0+really4.5.0-1~exp1

5.0.0+really4.5.0-1

5.0.0+really4.5.0-2

5.0.0+really4.5.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-golang-jwt-jwt

Package

Name: golang-github-golang-jwt-jwt
Purl: pkg:deb/debian/golang-github-golang-jwt-jwt?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.0+really4.5.2-1

Affected versions

4.*

4.4.3-1

5.*

5.0.0-1

5.0.0+really4.5.0-1~exp1

5.0.0+really4.5.0-1

5.0.0+really4.5.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-golang-jwt-jwt-v5

Package

Name: golang-github-golang-jwt-jwt-v5
Purl: pkg:deb/debian/golang-github-golang-jwt-jwt-v5?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.2-1

Affected versions

5.*

5.2.0-1

5.2.0-2~bpo12+1

5.2.0-2

5.2.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/golang-jwt/jwt

Affected ranges

Type: GIT
Repo: https://github.com/golang-jwt/jwt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0951d184286dece21f73c85673fd308786ffe9c3

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.2.1

v3.2.2

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.5.0

v5.*

v5.0.0

v5.0.0-rc.1

v5.0.0-rc.2

v5.1.0

v5.2.0

v5.2.1