Bug 2347423 (CVE-2025-27144)

Summary: CVE-2025-27144 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, alcohan, amasferr, amctagga, anjoseph, bdettelb, bkabrda, cbartlet, crizzo, danken, dmayorov, doconnor, dymurray, fdeutsch, gparvin, jaharrin, jburrell, jcantril, jeder, jlledo, jmatthew, jprabhak, jwendell, lball, manissin, mkudlej, mmakovy, mwringe, ngough, njean, oramraz, owatkins, pahickey, rcernich, rhaigner, rjohnson, rojacob, smullick, stirabos, teagle, thason, tjochec, veshanka, whayutin, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2347478, 2347479, 2347481, 2347482, 2347463, 2347464, 2347465, 2347466, 2347467, 2347468, 2347469, 2347470, 2347471, 2347472, 2347473, 2347474, 2347475, 2347476, 2347477, 2347480, 2347483, 2347484, 2347485    
Bug Blocks:    

Description OSIDB Bzimport 2025-02-24 23:01:07 UTC 
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Comment 4 errata-xmlrpc 2025-03-25 06:59:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3066 https://access.redhat.com/errata/RHSA-2025:3066
Comment 5 errata-xmlrpc 2025-03-25 07:15:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3068 https://access.redhat.com/errata/RHSA-2025:3068
Comment 6 errata-xmlrpc 2025-03-26 17:34:07 UTC 
This issue has been addressed in the following products:

  RHOL-6.0-RHEL-9

Via RHSA-2025:3132 https://access.redhat.com/errata/RHSA-2025:3132
Comment 7 errata-xmlrpc 2025-03-26 17:39:32 UTC 
This issue has been addressed in the following products:

  RHOL-6.1-RHEL-9

Via RHSA-2025:3131 https://access.redhat.com/errata/RHSA-2025:3131
Comment 8 errata-xmlrpc 2025-03-26 21:50:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3059 https://access.redhat.com/errata/RHSA-2025:3059
Comment 9 errata-xmlrpc 2025-03-27 01:09:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3061 https://access.redhat.com/errata/RHSA-2025:3061
Comment 10 errata-xmlrpc 2025-03-27 14:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3335 https://access.redhat.com/errata/RHSA-2025:3335
Comment 11 errata-xmlrpc 2025-04-03 00:21:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:3301 https://access.redhat.com/errata/RHSA-2025:3301
Comment 12 errata-xmlrpc 2025-04-03 13:35:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3593 https://access.redhat.com/errata/RHSA-2025:3593
Comment 13 errata-xmlrpc 2025-04-16 06:12:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3775 https://access.redhat.com/errata/RHSA-2025:3775
Comment 14 errata-xmlrpc 2025-04-16 10:29:34 UTC 
This issue has been addressed in the following products:

  RHOL-5.9-RHEL-9

Via RHSA-2025:3906 https://access.redhat.com/errata/RHSA-2025:3906
Comment 16 errata-xmlrpc 2025-05-01 03:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4211 https://access.redhat.com/errata/RHSA-2025:4211
Comment 17 errata-xmlrpc 2025-05-06 07:15:31 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511
Comment 18 errata-xmlrpc 2025-05-09 04:31:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4427 https://access.redhat.com/errata/RHSA-2025:4427
Comment 19 errata-xmlrpc 2025-05-13 11:50:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7389 https://access.redhat.com/errata/RHSA-2025:7389
Comment 20 errata-xmlrpc 2025-05-13 11:51:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7391 https://access.redhat.com/errata/RHSA-2025:7391
Comment 21 errata-xmlrpc 2025-05-13 11:51:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7397 https://access.redhat.com/errata/RHSA-2025:7397
Comment 22 errata-xmlrpc 2025-05-13 11:53:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7407 https://access.redhat.com/errata/RHSA-2025:7407
Comment 23 errata-xmlrpc 2025-05-13 15:55:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7459 https://access.redhat.com/errata/RHSA-2025:7459
Comment 24 errata-xmlrpc 2025-05-13 15:55:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7462 https://access.redhat.com/errata/RHSA-2025:7462
Comment 25 errata-xmlrpc 2025-05-13 15:56:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7467 https://access.redhat.com/errata/RHSA-2025:7467
Comment 26 errata-xmlrpc 2025-05-13 15:57:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7479 https://access.redhat.com/errata/RHSA-2025:7479
Comment 27 errata-xmlrpc 2025-05-14 02:10:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4712 https://access.redhat.com/errata/RHSA-2025:4712
Comment 28 errata-xmlrpc 2025-05-21 13:50:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:7669 https://access.redhat.com/errata/RHSA-2025:7669
Comment 29 errata-xmlrpc 2025-06-17 16:45:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2024:11038 https://access.redhat.com/errata/RHSA-2024:11038