CVE Tools
Sign in

CVE-2025-30204

jwt-go allows excessive memory allocation during header parsing

Published: Mar 21, 2025Updated: Apr 10, 2025 Sources: CVE List NVD GHSA BDUCWE-405
NVD MITRE
7.5CVSSHIGH
EPSS Score
0.7%
Top 52.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-405

Affected Products

openSUSE TumbleweedNovell Inc.
On-premOS
Operating Systems / linux-distro
Debian GNU/LinuxСообщество свободного программного обеспечения
On-premOS
Operating Systems / linux-distro
РЕД ОСООО «Ред Софт»
On-premOS
Operating Systems / linux-distro
SUSE Linux Enterprise Server for SAP ApplicationsNovell Inc.
On-premOS
Operating Systems / linux-distro
SUSE Manager Retail Branch ServerNovell Inc.Operating Systems / linux-distro
novell inc.commercialUSOperating Systems
сообщество свободного программного обеспеченияoss-projectOperating Systemsaka сообщество свободного программного обеспечения, fsf
ооо «ред софт»commercialRUOperating Systemsaka red soft
and 22 more affected products View all →

Exploitability

Official Patch Available

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30204
nvd.nist.gov
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
github.com
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
github.com
and 19 more references View all →

Timeline

Published
Mar 21, 2025
Last Updated
Apr 10, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-30204 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows