CVE-2025-27144: DoS in go-jose Parsing
(updated )
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, “.”) to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of ‘.’ characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
References
- github.com/advisories/GHSA-c6gw-w398-hv78
- github.com/go-jose/go-jose
- github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
- github.com/go-jose/go-jose/releases/tag/v4.0.5
- github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
- github.com/golang/go/issues/71490
- go.dev/issue/71490
- nvd.nist.gov/vuln/detail/CVE-2025-27144
Detect and mitigate CVE-2025-27144 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →