CVE-2025-27144
EPSS 0.10%DoS in go-jose Parsing
發布日:2025/2/24修改日:2026/2/4
描述
### Impact When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. ### Patches Version 4.0.5 fixes this issue ### Workarounds Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters. ### References This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.
受影響套件(8)
- Debian/golang-github-go-jose-go-josefrom 0, < 4.0.5-1
- Go/github.com/go-jose/go-josefrom 0, < 3.0.4
- Go/github.com/go-jose/go-josefrom 0
- Go/github.com/go-jose/go-jose/v3from 0, < 3.0.4
- Go/github.com/go-jose/go-jose/v3from 0, < 3.0.4
- Go/github.com/go-jose/go-jose/v4from 0, < 4.0.5
- Go/github.com/go-jose/go-jose/v4from 0, < 4.0.5
- Go/github.com/square/go-josefrom 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-27144
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-27144
- PATCHhttps://github.com/go-jose/go-jose
- WEBhttps://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
- WEBhttps://github.com/go-jose/go-jose/releases/tag/v4.0.5
- WEBhttps://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
- WEBhttps://github.com/golang/go/issues/71490
- WEBhttps://go.dev/issue/71490