CVE-2025-30204: jwt-go allows excessive memory allocation during header parsing

7.5 CVSS

Description

golang-jwt is a Go implementation of JSON Web Tokens. Prior to
5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

Classification

CVE ID: CVE-2025-30204

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-405: Asymmetric Resource Consumption (Amplification)

Affected Products

Vendor: golang-jwt

Product: jwt

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.46% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30204
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3

Timeline

2025-03-21 22:40:13 UTC
CVE

jwt-go allows excessive memory allocation during header parsing
2025-04-14 06:00:45 UTC
Tenable Plugins

RHEL 9 : grafana (RHSA-2025:3618)
2025-04-14 06:00:45 UTC
Tenable Plugins

RHEL 9 : opentelemetry-collector (RHSA-2025:3698)
2025-04-14 06:00:45 UTC
Tenable Plugins

RHEL 9 : grafana (RHSA-2025:3616)