CVE-2025-30204: jwt-go allows excessive memory allocation during header parsing
(updated )
Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.
As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function’s argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)
References
- github.com/advisories/GHSA-mh63-6h87-95cp
- github.com/golang-jwt/jwt
- github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
- github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
- github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
- nvd.nist.gov/vuln/detail/CVE-2025-30204
- security.netapp.com/advisory/ntap-20250404-0002
Code Behaviors & Features
Detect and mitigate CVE-2025-30204 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →