VYPR
High severity7.5OSV Advisory· Published Mar 21, 2025· Updated Apr 15, 2026

CVE-2025-30204

CVE-2025-30204

Description

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/golang-jwt/jwt/v5Go
>= 5.0.0-rc.1, < 5.2.25.2.2
github.com/golang-jwt/jwt/v4Go
< 4.5.24.5.2
github.com/golang-jwt/jwtGo
>= 3.2.0, <= 3.2.2

Affected products

2397

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.