Bug 2354195 (CVE-2025-30204)

Summary: CVE-2025-30204 golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, adudiak, agarcial, akostadi, alcohan, amasferr, amctagga, anjoseph, aoconnor, asegurap, bdettelb, bniver, brking, caswilli, cbartlet, ckandaga, cmah, crizzo, dahernan, dbosanac, dfreiber, dhanak, dmayorov, doconnor, drosa, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, fdeutsch, flucifre, gkamathe, gmeno, gparvin, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jdobes, jeder, jforrest, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jprabhak, jreimann, jschluet, jtanner, jwendell, jwong, kaycoth, kegrant, kingland, koliveir, kshier, kverlaen, lball, lchilton, lgamliel, lhh, ljawale, lphiri, lsvaty, luizcosta, mabashia, manissin, matzew, mbenjamin, mburns, mdessi, mgarciac, mhackett, mkleinhe, mmakovy, mnovotny, mrizzi, mwringe, ngough, njean, nobody, nweather, oezr, omaciel, orabin, oramraz, owatkins, pahickey, pbraun, pcattana, periklis, pgaikwad, pgrist, pierdipi, pjindal, pvasanth, rbobbitt, rcernich, rfreiman, rhaigner, rhuss, rjohnson, rojacob, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, teagle, tfister, thason, thavo, tjochec, vereddy, veshanka, vkumar, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2354392, 2354393, 2354394, 2354395, 2354397, 2354398, 2354399, 2354416, 2354417, 2354418, 2354419, 2354420, 2354421, 2354423, 2354428, 2354431, 2354432, 2354434, 2354435, 2354441, 2354442, 2354389, 2354390, 2354391, 2354396, 2354400, 2354401, 2354402, 2354403, 2354404, 2354405, 2354406, 2354407, 2354408, 2354409, 2354410, 2354411, 2354412, 2354413, 2354414, 2354415, 2354422, 2354424, 2354425, 2354426, 2354427, 2354429, 2354430, 2354433, 2354438, 2354439, 2354440, 2354443, 2354445, 2354447    
Bug Blocks:    

Description OSIDB Bzimport 2025-03-21 22:01:06 UTC 
golang-jwt is a Go implementation of JSON Web Tokens. Prior to 
5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer  followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Comment 4 errata-xmlrpc 2025-03-27 15:42:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3344 https://access.redhat.com/errata/RHSA-2025:3344
Comment 5 errata-xmlrpc 2025-03-31 14:32:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3411 https://access.redhat.com/errata/RHSA-2025:3411
Comment 6 errata-xmlrpc 2025-04-02 04:03:39 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:3503 https://access.redhat.com/errata/RHSA-2025:3503
Comment 7 errata-xmlrpc 2025-04-07 01:55:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3616 https://access.redhat.com/errata/RHSA-2025:3616
Comment 8 errata-xmlrpc 2025-04-07 02:03:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3618 https://access.redhat.com/errata/RHSA-2025:3618
Comment 9 errata-xmlrpc 2025-04-08 15:18:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3698 https://access.redhat.com/errata/RHSA-2025:3698
Comment 10 errata-xmlrpc 2025-04-09 04:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3565 https://access.redhat.com/errata/RHSA-2025:3565
Comment 11 errata-xmlrpc 2025-04-09 20:55:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:3569 https://access.redhat.com/errata/RHSA-2025:3569
Comment 12 errata-xmlrpc 2025-04-10 11:37:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3577 https://access.redhat.com/errata/RHSA-2025:3577
Comment 13 errata-xmlrpc 2025-04-15 19:46:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2025:3928 https://access.redhat.com/errata/RHSA-2025:3928
Comment 14 errata-xmlrpc 2025-04-15 19:52:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2025:3929 https://access.redhat.com/errata/RHSA-2025:3929
Comment 15 errata-xmlrpc 2025-04-15 20:29:31 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.7

Via RHSA-2025:3930 https://access.redhat.com/errata/RHSA-2025:3930
Comment 16 errata-xmlrpc 2025-04-16 06:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3775 https://access.redhat.com/errata/RHSA-2025:3775
Comment 17 errata-xmlrpc 2025-04-16 10:29:40 UTC 
This issue has been addressed in the following products:

  RHOL-5.9-RHEL-9

Via RHSA-2025:3906 https://access.redhat.com/errata/RHSA-2025:3906
Comment 18 errata-xmlrpc 2025-04-16 17:46:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3798 https://access.redhat.com/errata/RHSA-2025:3798
Comment 19 errata-xmlrpc 2025-04-16 21:35:20 UTC 
This issue has been addressed in the following products:

  RHOL-6.1-RHEL-9

Via RHSA-2025:3907 https://access.redhat.com/errata/RHSA-2025:3907
Comment 20 errata-xmlrpc 2025-04-17 04:04:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:3790 https://access.redhat.com/errata/RHSA-2025:3790
Comment 22 errata-xmlrpc 2025-04-22 23:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4019 https://access.redhat.com/errata/RHSA-2025:4019
Comment 23 errata-xmlrpc 2025-04-23 05:52:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:4008 https://access.redhat.com/errata/RHSA-2025:4008
Comment 24 errata-xmlrpc 2025-04-23 12:41:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4012 https://access.redhat.com/errata/RHSA-2025:4012
Comment 25 errata-xmlrpc 2025-04-28 16:11:00 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9

Via RHSA-2025:4250 https://access.redhat.com/errata/RHSA-2025:4250
Comment 26 errata-xmlrpc 2025-04-30 03:47:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4204 https://access.redhat.com/errata/RHSA-2025:4204
Comment 27 errata-xmlrpc 2025-04-30 07:12:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:4177 https://access.redhat.com/errata/RHSA-2025:4177
Comment 28 errata-xmlrpc 2025-05-01 03:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4211 https://access.redhat.com/errata/RHSA-2025:4211
Comment 29 errata-xmlrpc 2025-05-05 14:31:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:4462 https://access.redhat.com/errata/RHSA-2025:4462
Comment 31 errata-xmlrpc 2025-05-05 23:34:29 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 9
  multicluster engine for Kubernetes 2.5 for RHEL 8

Via RHSA-2025:4473 https://access.redhat.com/errata/RHSA-2025:4473
Comment 32 errata-xmlrpc 2025-05-06 06:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2025:4502 https://access.redhat.com/errata/RHSA-2025:4502
Comment 33 errata-xmlrpc 2025-05-06 07:15:40 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511
Comment 35 errata-xmlrpc 2025-05-06 16:40:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:4569 https://access.redhat.com/errata/RHSA-2025:4569
Comment 36 errata-xmlrpc 2025-05-07 14:55:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4669 https://access.redhat.com/errata/RHSA-2025:4669
Comment 37 errata-xmlrpc 2025-05-08 19:54:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:4409 https://access.redhat.com/errata/RHSA-2025:4409
Comment 38 errata-xmlrpc 2025-05-08 19:55:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:4422 https://access.redhat.com/errata/RHSA-2025:4422
Comment 39 errata-xmlrpc 2025-05-12 15:06:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2025:4810 https://access.redhat.com/errata/RHSA-2025:4810
Comment 40 errata-xmlrpc 2025-05-13 11:52:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7404 https://access.redhat.com/errata/RHSA-2025:7404
Comment 41 errata-xmlrpc 2025-05-13 11:53:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7407 https://access.redhat.com/errata/RHSA-2025:7407
Comment 42 errata-xmlrpc 2025-05-13 11:55:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7425 https://access.redhat.com/errata/RHSA-2025:7425
Comment 43 errata-xmlrpc 2025-05-13 15:57:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7475 https://access.redhat.com/errata/RHSA-2025:7475
Comment 44 errata-xmlrpc 2025-05-13 15:57:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7479 https://access.redhat.com/errata/RHSA-2025:7479
Comment 45 errata-xmlrpc 2025-05-13 16:00:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7503 https://access.redhat.com/errata/RHSA-2025:7503
Comment 47 errata-xmlrpc 2025-05-15 16:34:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:4677 https://access.redhat.com/errata/RHSA-2025:4677
Comment 48 errata-xmlrpc 2025-05-19 09:47:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:7967 https://access.redhat.com/errata/RHSA-2025:7967
Comment 49 errata-xmlrpc 2025-05-21 14:06:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:7702 https://access.redhat.com/errata/RHSA-2025:7702
Comment 50 errata-xmlrpc 2025-05-21 15:33:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:8075 https://access.redhat.com/errata/RHSA-2025:8075
Comment 51 errata-xmlrpc 2025-05-27 22:52:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2025:8244 https://access.redhat.com/errata/RHSA-2025:8244
Comment 52 errata-xmlrpc 2025-05-28 15:22:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:8267 https://access.redhat.com/errata/RHSA-2025:8267
Comment 53 errata-xmlrpc 2025-06-02 14:58:20 UTC 
This issue has been addressed in the following products:

  multicluster-globalhub 1.4 for RHEL 9

Via RHSA-2025:8384 https://access.redhat.com/errata/RHSA-2025:8384
Comment 54 errata-xmlrpc 2025-06-02 17:37:34 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.4 for RHEL 8

Via RHSA-2025:8390 https://access.redhat.com/errata/RHSA-2025:8390
Comment 55 errata-xmlrpc 2025-06-02 18:59:51 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2025:8392 https://access.redhat.com/errata/RHSA-2025:8392
Comment 56 errata-xmlrpc 2025-06-04 01:59:43 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:8479 https://access.redhat.com/errata/RHSA-2025:8479
Comment 57 errata-xmlrpc 2025-06-04 12:26:06 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2025:8510 https://access.redhat.com/errata/RHSA-2025:8510
Comment 58 errata-xmlrpc 2025-06-04 20:12:50 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 59 errata-xmlrpc 2025-06-04 21:19:49 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9

Via RHSA-2025:8542 https://access.redhat.com/errata/RHSA-2025:8542
Comment 60 errata-xmlrpc 2025-06-09 14:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9

Via RHSA-2025:8691 https://access.redhat.com/errata/RHSA-2025:8691
Comment 61 errata-xmlrpc 2025-06-10 06:26:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:8560 https://access.redhat.com/errata/RHSA-2025:8560
Comment 62 errata-xmlrpc 2025-06-11 12:03:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:8552 https://access.redhat.com/errata/RHSA-2025:8552
Comment 63 errata-xmlrpc 2025-06-13 05:16:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:8556 https://access.redhat.com/errata/RHSA-2025:8556
Comment 65 errata-xmlrpc 2025-06-23 15:11:55 UTC 
This issue has been addressed in the following products:

  multicluster-globalhub 1.2 for RHEL 9

Via RHSA-2025:9388 https://access.redhat.com/errata/RHSA-2025:9388
Comment 66 errata-xmlrpc 2025-06-24 14:31:31 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2025:9541 https://access.redhat.com/errata/RHSA-2025:9541
Comment 67 errata-xmlrpc 2025-06-25 14:06:31 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2025:9646 https://access.redhat.com/errata/RHSA-2025:9646
Comment 68 errata-xmlrpc 2025-06-26 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:9259 https://access.redhat.com/errata/RHSA-2025:9259
Comment 69 errata-xmlrpc 2025-07-18 15:51:59 UTC 
This issue has been addressed in the following products:

  OADP-1.4-RHEL-9

Via RHSA-2025:11396 https://access.redhat.com/errata/RHSA-2025:11396
Comment 70 errata-xmlrpc 2025-07-23 03:59:13 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.7 for RHEL 9
  multicluster engine for Kubernetes 2.7 for RHEL 8

Via RHSA-2025:11573 https://access.redhat.com/errata/RHSA-2025:11573
Comment 71 errata-xmlrpc 2025-07-24 15:24:15 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 8.1

Via RHSA-2025:11749 https://access.redhat.com/errata/RHSA-2025:11749
Comment 72 errata-xmlrpc 2025-07-31 03:56:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:11669 https://access.redhat.com/errata/RHSA-2025:11669
Comment 75 errata-xmlrpc 2025-08-14 15:22:31 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.6 for RHEL 9
  multicluster engine for Kubernetes 2.6 for RHEL 8

Via RHSA-2025:13900 https://access.redhat.com/errata/RHSA-2025:13900
Comment 77 errata-xmlrpc 2025-09-17 15:01:58 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.8 for RHEL 9
  multicluster engine for Kubernetes 2.8 for RHEL 8

Via RHSA-2025:16101 https://access.redhat.com/errata/RHSA-2025:16101