Bug 2347423 (CVE-2025-27144) - CVE-2025-27144 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
Summary: CVE-2025-27144 go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
Keywords:
Status: NEW
Alias: CVE-2025-27144
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2347478 2347479 2347481 2347482 2347463 2347464 2347465 2347466 2347467 2347468 2347469 2347470 2347471 2347472 2347473 2347474 2347475 2347476 2347477 2347480 2347483 2347484 2347485
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-24 23:01 UTC by OSIDB Bzimport
Modified: 2025-05-21 13:50 UTC (History)
45 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:3059 0 None None None 2025-03-26 21:50:04 UTC
Red Hat Product Errata RHSA-2025:3061 0 None None None 2025-03-27 01:09:12 UTC
Red Hat Product Errata RHSA-2025:3066 0 None None None 2025-03-25 06:59:18 UTC
Red Hat Product Errata RHSA-2025:3068 0 None None None 2025-03-25 07:15:19 UTC
Red Hat Product Errata RHSA-2025:3131 0 None None None 2025-03-26 17:39:35 UTC
Red Hat Product Errata RHSA-2025:3132 0 None None None 2025-03-26 17:34:10 UTC
Red Hat Product Errata RHSA-2025:3301 0 None None None 2025-04-03 00:21:50 UTC
Red Hat Product Errata RHSA-2025:3335 0 None None None 2025-03-27 14:57:03 UTC
Red Hat Product Errata RHSA-2025:3593 0 None None None 2025-04-03 13:35:12 UTC
Red Hat Product Errata RHSA-2025:3775 0 None None None 2025-04-16 06:12:46 UTC
Red Hat Product Errata RHSA-2025:3906 0 None None None 2025-04-16 10:29:38 UTC
Red Hat Product Errata RHSA-2025:4211 0 None None None 2025-05-01 03:08:50 UTC
Red Hat Product Errata RHSA-2025:4427 0 None None None 2025-05-09 04:31:21 UTC
Red Hat Product Errata RHSA-2025:4511 0 None None None 2025-05-06 07:15:35 UTC
Red Hat Product Errata RHSA-2025:4712 0 None None None 2025-05-14 02:10:48 UTC
Red Hat Product Errata RHSA-2025:7389 0 None None None 2025-05-13 11:50:11 UTC
Red Hat Product Errata RHSA-2025:7391 0 None None None 2025-05-13 11:51:10 UTC
Red Hat Product Errata RHSA-2025:7397 0 None None None 2025-05-13 11:51:53 UTC
Red Hat Product Errata RHSA-2025:7407 0 None None None 2025-05-13 11:53:12 UTC
Red Hat Product Errata RHSA-2025:7459 0 None None None 2025-05-13 15:55:37 UTC
Red Hat Product Errata RHSA-2025:7462 0 None None None 2025-05-13 15:55:48 UTC
Red Hat Product Errata RHSA-2025:7467 0 None None None 2025-05-13 15:56:28 UTC
Red Hat Product Errata RHSA-2025:7479 0 None None None 2025-05-13 15:57:40 UTC
Red Hat Product Errata RHSA-2025:7669 0 None None None 2025-05-21 13:50:19 UTC

Description OSIDB Bzimport 2025-02-24 23:01:07 UTC 
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Comment 4 errata-xmlrpc 2025-03-25 06:59:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3066 https://access.redhat.com/errata/RHSA-2025:3066
Comment 5 errata-xmlrpc 2025-03-25 07:15:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3068 https://access.redhat.com/errata/RHSA-2025:3068
Comment 6 errata-xmlrpc 2025-03-26 17:34:07 UTC 
This issue has been addressed in the following products:

  RHOL-6.0-RHEL-9

Via RHSA-2025:3132 https://access.redhat.com/errata/RHSA-2025:3132
Comment 7 errata-xmlrpc 2025-03-26 17:39:32 UTC 
This issue has been addressed in the following products:

  RHOL-6.1-RHEL-9

Via RHSA-2025:3131 https://access.redhat.com/errata/RHSA-2025:3131
Comment 8 errata-xmlrpc 2025-03-26 21:50:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3059 https://access.redhat.com/errata/RHSA-2025:3059
Comment 9 errata-xmlrpc 2025-03-27 01:09:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3061 https://access.redhat.com/errata/RHSA-2025:3061
Comment 10 errata-xmlrpc 2025-03-27 14:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3335 https://access.redhat.com/errata/RHSA-2025:3335
Comment 11 errata-xmlrpc 2025-04-03 00:21:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:3301 https://access.redhat.com/errata/RHSA-2025:3301
Comment 12 errata-xmlrpc 2025-04-03 13:35:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3593 https://access.redhat.com/errata/RHSA-2025:3593
Comment 13 errata-xmlrpc 2025-04-16 06:12:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3775 https://access.redhat.com/errata/RHSA-2025:3775
Comment 14 errata-xmlrpc 2025-04-16 10:29:34 UTC 
This issue has been addressed in the following products:

  RHOL-5.9-RHEL-9

Via RHSA-2025:3906 https://access.redhat.com/errata/RHSA-2025:3906
Comment 16 errata-xmlrpc 2025-05-01 03:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4211 https://access.redhat.com/errata/RHSA-2025:4211
Comment 17 errata-xmlrpc 2025-05-06 07:15:31 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511
Comment 18 errata-xmlrpc 2025-05-09 04:31:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4427 https://access.redhat.com/errata/RHSA-2025:4427
Comment 19 errata-xmlrpc 2025-05-13 11:50:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7389 https://access.redhat.com/errata/RHSA-2025:7389
Comment 20 errata-xmlrpc 2025-05-13 11:51:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7391 https://access.redhat.com/errata/RHSA-2025:7391
Comment 21 errata-xmlrpc 2025-05-13 11:51:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7397 https://access.redhat.com/errata/RHSA-2025:7397
Comment 22 errata-xmlrpc 2025-05-13 11:53:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7407 https://access.redhat.com/errata/RHSA-2025:7407
Comment 23 errata-xmlrpc 2025-05-13 15:55:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7459 https://access.redhat.com/errata/RHSA-2025:7459
Comment 24 errata-xmlrpc 2025-05-13 15:55:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7462 https://access.redhat.com/errata/RHSA-2025:7462
Comment 25 errata-xmlrpc 2025-05-13 15:56:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7467 https://access.redhat.com/errata/RHSA-2025:7467
Comment 26 errata-xmlrpc 2025-05-13 15:57:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7479 https://access.redhat.com/errata/RHSA-2025:7479
Comment 27 errata-xmlrpc 2025-05-14 02:10:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4712 https://access.redhat.com/errata/RHSA-2025:4712
Comment 28 errata-xmlrpc 2025-05-21 13:50:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:7669 https://access.redhat.com/errata/RHSA-2025:7669
Note You need to log in before you can comment on or make changes to this bug.