high
7.5
CWE
405
EPSS
0.055%
Advisory Published
Advisory Published
Updated

CVE-2025-30204: jwt-go allows excessive memory allocation during header parsing

First published: Fri Mar 21 2025(Updated: )

### Summary Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html) ### Details See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) ### Impact Excessive memory allocation

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
golang-jwt<5.2.2
golang-jwt<4.5.2
go/github.com/golang-jwt/jwt>=3.2.0<=3.2.2
go/github.com/golang-jwt/jwt/v4<4.5.2
4.5.2
go/github.com/golang-jwt/jwt/v5>=5.0.0-rc.1<5.2.2
5.2.2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-30204?

    The severity of CVE-2025-30204 is considered high due to the potential for parsing attacks with untrusted data.

  • How do I fix CVE-2025-30204?

    To fix CVE-2025-30204, upgrade to golang-jwt version 5.2.2 or jwt-go version 4.5.2 or later.

  • What systems are affected by CVE-2025-30204?

    CVE-2025-30204 affects golang-jwt versions up to 5.2.2 and jwt-go versions up to 4.5.2.

  • What type of vulnerability is CVE-2025-30204?

    CVE-2025-30204 is a parsing vulnerability related to the improper handling of untrusted data in JSON Web Tokens.

  • How can I determine if my application is vulnerable to CVE-2025-30204?

    Check your application dependencies to see if you are using golang-jwt versions prior to 5.2.2 or jwt-go versions prior to 4.5.2.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203