CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

CWE-1286: Improper Validation of Syntactic Correctness of Input

Vendor: golang.org/x/oauth2

Product: golang.org/x/oauth2/jws

EPSS Score: 0.17% (probability of being exploited)

EPSS Percentile: 34.93% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

2025-02-24 23:15:37 UTC
Github Advisory Database (Go)

[github.com/go-jose/go-jose/v4] DoS in go-jose Parsing
2025-02-26 04:41:33 UTC
CVE

Unexpected memory consumption during token parsing in golang.org/x/oauth2
2025-03-14 11:00:36 UTC
Tenable Plugins

SUSE SLES12 Security Update : google-osconfig-agent (SUSE-SU-2025:0852-1)
2025-03-15 11:00:30 UTC
Tenable Plugins

SUSE SLES12 Security Update : google-guest-agent (SUSE-SU-2025:0872-1)
2025-03-16 10:15:30 UTC
Tenable Plugins

openSUSE 15 Security Update : restic (openSUSE-SU-2025:0091-1)
2025-03-25 12:00:49 UTC
Tenable Plugins

openSUSE 15 Security Update : cadvisor (openSUSE-SU-2025:0103-1)
2025-03-26 17:15:31 UTC
Tenable Plugins

SUSE SLES15 / openSUSE 15 Security Update : google-osconfig-agent (SUSE-SU-2025:1006-1)
2025-03-26 17:15:31 UTC
Tenable Plugins

SUSE SLES15 / openSUSE 15 Security Update : google-guest-agent (SUSE-SU-2025:1005-1)
2025-04-17 11:30:40 UTC
Tenable Plugins

Amazon Linux 2 : docker (ALASNITRO-ENCLAVES-2025-053)
2025-04-17 11:30:41 UTC
Tenable Plugins

Amazon Linux 2 : docker (ALASDOCKER-2025-056)