Bug 2348366 (CVE-2025-22868)

Summary: CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, aoconnor, bdettelb, bkabrda, bniver, brking, cbartlet, ckandaga, cmah, crizzo, danken, davidn, dhanak, dmayorov, doconnor, dsimansk, dymurray, eaguilar, ebaron, eglynn, fdeutsch, flucifre, gkamathe, gmeno, gparvin, haoli, hkataria, ibolton, jajackso, jcammara, jcantril, jforrest, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jprabhak, jschluet, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, lball, lchilton, lhh, lphiri, lsvaty, mabashia, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mkudlej, mmakovy, mnovotny, mwringe, ngough, njean, nobody, oramraz, owatkins, pahickey, pbraun, peholase, pgaikwad, pgrist, pierdipi, pjindal, pvasanth, rcernich, rguimara, rhaigner, rhuss, rjohnson, rojacob, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, teagle, tfister, thason, thavo, tjochec, vereddy, veshanka, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2348753, 2348754, 2348755, 2348757, 2348773, 2348774, 2348775, 2348776, 2348784, 2348785, 2348786, 2348787, 2348788, 2348789, 2348790, 2348791, 2348792, 2348819, 2348820, 2348821, 2348822, 2348823, 2348824, 2348825, 2348826, 2348827, 2348828, 2348829, 2348830, 2348831, 2348834, 2348835, 2348837, 2348838, 2348839, 2350677, 2348756, 2348793, 2348794, 2348795, 2348796, 2348797, 2348798, 2348799, 2348800, 2348801, 2348802, 2348803, 2348807, 2348809, 2348811, 2348812, 2348813, 2348814, 2348815, 2348816, 2348817, 2348818, 2348832, 2348833, 2348836, 2348840    
Bug Blocks:    

Description OSIDB Bzimport 2025-02-26 04:01:06 UTC 
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Comment 6 errata-xmlrpc 2025-03-20 04:38:08 UTC 
This issue has been addressed in the following products:

  gatekeeper 3.17 for RHEL 9

Via RHSA-2025:3051 https://access.redhat.com/errata/RHSA-2025:3051
Comment 7 errata-xmlrpc 2025-03-20 04:55:58 UTC 
This issue has been addressed in the following products:

  gatekeeper 3.15 for RHEL 9

Via RHSA-2025:3053 https://access.redhat.com/errata/RHSA-2025:3053
Comment 8 errata-xmlrpc 2025-03-25 19:59:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9

Via RHSA-2025:3172 https://access.redhat.com/errata/RHSA-2025:3172
Comment 9 errata-xmlrpc 2025-03-27 14:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3335 https://access.redhat.com/errata/RHSA-2025:3335
Comment 10 errata-xmlrpc 2025-04-01 21:01:21 UTC 
This issue has been addressed in the following products:

  multicluster-globalhub 1.2 for RHEL 9

Via RHSA-2025:3498 https://access.redhat.com/errata/RHSA-2025:3498
Comment 11 errata-xmlrpc 2025-04-02 04:03:38 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:3503 https://access.redhat.com/errata/RHSA-2025:3503
Comment 12 errata-xmlrpc 2025-04-03 13:35:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3593 https://access.redhat.com/errata/RHSA-2025:3593
Comment 14 errata-xmlrpc 2025-04-08 23:27:22 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.8 for RHEL 9
  multicluster engine for Kubernetes 2.8 for RHEL 8

Via RHSA-2025:3720 https://access.redhat.com/errata/RHSA-2025:3720
Comment 15 errata-xmlrpc 2025-04-14 18:00:51 UTC 
This issue has been addressed in the following products:

  multicluster-globalhub 1.3 for RHEL 9

Via RHSA-2025:3863 https://access.redhat.com/errata/RHSA-2025:3863
Comment 16 errata-xmlrpc 2025-04-15 21:50:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2025:3932 https://access.redhat.com/errata/RHSA-2025:3932
Comment 17 errata-xmlrpc 2025-04-16 18:10:21 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9

Via RHSA-2025:3959 https://access.redhat.com/errata/RHSA-2025:3959
Comment 18 errata-xmlrpc 2025-04-17 04:04:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:3790 https://access.redhat.com/errata/RHSA-2025:3790
Comment 19 errata-xmlrpc 2025-04-17 17:19:52 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.7 for RHEL 9
  multicluster engine for Kubernetes 2.7 for RHEL 8

Via RHSA-2025:3987 https://access.redhat.com/errata/RHSA-2025:3987
Comment 20 errata-xmlrpc 2025-04-17 22:09:50 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9

Via RHSA-2025:4002 https://access.redhat.com/errata/RHSA-2025:4002
Comment 22 errata-xmlrpc 2025-04-28 16:11:00 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9

Via RHSA-2025:4250 https://access.redhat.com/errata/RHSA-2025:4250
Comment 24 errata-xmlrpc 2025-05-05 23:34:29 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 9
  multicluster engine for Kubernetes 2.5 for RHEL 8

Via RHSA-2025:4473 https://access.redhat.com/errata/RHSA-2025:4473
Comment 25 errata-xmlrpc 2025-05-06 07:15:32 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511
Comment 27 errata-xmlrpc 2025-05-07 01:12:02 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.6 for RHEL 8
  multicluster engine for Kubernetes 2.6 for RHEL 9

Via RHSA-2025:4605 https://access.redhat.com/errata/RHSA-2025:4605
Comment 28 errata-xmlrpc 2025-05-12 15:06:31 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2025:4810 https://access.redhat.com/errata/RHSA-2025:4810
Comment 29 errata-xmlrpc 2025-05-13 11:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7407 https://access.redhat.com/errata/RHSA-2025:7407
Comment 30 errata-xmlrpc 2025-05-13 15:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7479 https://access.redhat.com/errata/RHSA-2025:7479
Comment 31 errata-xmlrpc 2025-05-14 14:49:31 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:7616 https://access.redhat.com/errata/RHSA-2025:7616
Comment 33 errata-xmlrpc 2025-05-20 17:18:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:7863 https://access.redhat.com/errata/RHSA-2025:7863
Comment 34 errata-xmlrpc 2025-06-02 17:37:34 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.4 for RHEL 8

Via RHSA-2025:8390 https://access.redhat.com/errata/RHSA-2025:8390
Comment 35 errata-xmlrpc 2025-06-03 10:16:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:8284 https://access.redhat.com/errata/RHSA-2025:8284
Comment 36 errata-xmlrpc 2025-06-04 09:20:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:8280 https://access.redhat.com/errata/RHSA-2025:8280
Comment 37 errata-xmlrpc 2025-06-04 12:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:8299 https://access.redhat.com/errata/RHSA-2025:8299
Comment 38 errata-xmlrpc 2025-06-04 12:26:06 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2025:8510 https://access.redhat.com/errata/RHSA-2025:8510
Comment 39 errata-xmlrpc 2025-06-04 20:12:37 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 40 errata-xmlrpc 2025-06-13 05:16:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:8556 https://access.redhat.com/errata/RHSA-2025:8556