GHSA-c6gw-w398-hv78

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "nvd_published_at": "2025-02-24T23:15:11Z",
    "github_reviewed_at": "2025-02-24T22:49:19Z"
}

References

Affected packages

Go / github.com/go-jose/go-jose/v4

Package

Name: github.com/go-jose/go-jose/v4; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-jose/go-jose/v4

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.5

Go / github.com/go-jose/go-jose/v3

Package

Name: github.com/go-jose/go-jose/v3; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-jose/go-jose/v3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.4

Go / github.com/go-jose/go-jose

Package

Name: github.com/go-jose/go-jose; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-jose/go-jose

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.4