CVE-2025-30204

jwt-go allows excessive memory allocation during header parsing

Description

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

INFO

Published Date :

2025-03-21T21:42:01.382Z

Last Modified :

2025-04-10T13:03:19.897Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-30204 vulnerability.

Vendors	Products
Redhat	Acm Advanced Cluster Security Cryostat Enterprise Linux Logging Multicluster Engine Multicluster Globalhub Openshift Openshift Api Data Protection Openshift Builds Openshift Custom Metrics Autoscaler Openshift Data Foundation Openshift Devspaces Openshift Distributed Tracing Openshift Gitops Rhel E4s Rhel Eus Rhmt Trusted Artifact Signer

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-30204.

URL	Resource
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
https://nvd.nist.gov/vuln/detail/CVE-2025-30204
https://pkg.go.dev/vuln/GO-2025-3553
https://security.netapp.com/advisory/ntap-20250404-0002/
https://www.cve.org/CVERecord?id=CVE-2025-30204

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact