CVE-2025-30204

Public on 2025-03-21
Modified on 2025-03-31
Description
golang-jwt is a Go implementation of JSON Web Tokens. Prior to
5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Severity
Important severity
Important
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
HAQM Linux 2 - Core amazon-cloudwatch-agent 2025-05-08 ALAS2-2025-2851 Fixed
HAQM Linux 2023 amazon-cloudwatch-agent 2025-05-07 ALAS2023-2025-968 Fixed
HAQM Linux 2 - Docker Extra docker 2025-04-23 ALAS2DOCKER-2025-058 Fixed
HAQM Linux 2 - Ecs Extra docker 2025-04-23 ALAS2ECS-2025-055 Fixed
HAQM Linux 2 - Aws-nitro-enclaves-cli Extra docker 2025-04-23 ALAS2NITRO-ENCLAVES-2025-054 Fixed
HAQM Linux 2023 docker 2025-04-23 ALAS2023-2025-945 Fixed
HAQM Linux 2 - Docker Extra runfinch-finch 2025-04-23 ALAS2DOCKER-2025-057 Fixed
HAQM Linux 2023 runfinch-finch 2025-04-23 ALAS2023-2025-944 Fixed

CVSS Scores

Score Type Score Vector
HAQM Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2025-30204 Mitre: CVE-2025-30204