Bug 2354195 (CVE-2025-30204) - CVE-2025-30204 golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing
Summary: CVE-2025-30204 golang-jwt/jwt: jwt-go allows excessive memory allocation duri...
Keywords:
Status: NEW
Alias: CVE-2025-30204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2354389 2354390 2354391 2354392 2354393 2354394 2354395 2354396 2354397 2354398 2354399 2354400 2354401 2354402 2354403 2354404 2354405 2354406 2354407 2354409 2354411 2354412 2354413 2354414 2354415 2354416 2354417 2354418 2354419 2354420 2354421 2354422 2354423 2354428 2354429 2354431 2354432 2354433 2354434 2354435 2354438 2354439 2354440 2354441 2354442 2354443 2354447 2354408 2354410 2354424 2354425 2354426 2354427 2354430 2354445
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-03-21 22:01 UTC by OSIDB Bzimport
Modified: 2025-05-15 16:34 UTC (History)
139 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:3344 0 None None None 2025-03-27 15:42:43 UTC
Red Hat Product Errata RHSA-2025:3411 0 None None None 2025-03-31 14:32:45 UTC
Red Hat Product Errata RHSA-2025:3503 0 None None None 2025-04-02 04:03:46 UTC
Red Hat Product Errata RHSA-2025:3565 0 None None None 2025-04-09 04:47:21 UTC
Red Hat Product Errata RHSA-2025:3569 0 None None None 2025-04-09 20:55:49 UTC
Red Hat Product Errata RHSA-2025:3577 0 None None None 2025-04-10 11:37:48 UTC
Red Hat Product Errata RHSA-2025:3616 0 None None None 2025-04-07 01:55:42 UTC
Red Hat Product Errata RHSA-2025:3618 0 None None None 2025-04-07 02:03:16 UTC
Red Hat Product Errata RHSA-2025:3698 0 None None None 2025-04-08 15:18:52 UTC
Red Hat Product Errata RHSA-2025:3775 0 None None None 2025-04-16 06:12:59 UTC
Red Hat Product Errata RHSA-2025:3790 0 None None None 2025-04-17 04:04:11 UTC
Red Hat Product Errata RHSA-2025:3798 0 None None None 2025-04-16 17:46:23 UTC
Red Hat Product Errata RHSA-2025:3906 0 None None None 2025-04-16 10:29:48 UTC
Red Hat Product Errata RHSA-2025:3907 0 None None None 2025-04-16 21:35:28 UTC
Red Hat Product Errata RHSA-2025:3928 0 None None None 2025-04-15 19:46:22 UTC
Red Hat Product Errata RHSA-2025:3929 0 None None None 2025-04-15 19:52:49 UTC
Red Hat Product Errata RHSA-2025:3930 0 None None None 2025-04-15 20:29:38 UTC
Red Hat Product Errata RHSA-2025:4008 0 None None None 2025-04-23 05:52:10 UTC
Red Hat Product Errata RHSA-2025:4012 0 None None None 2025-04-23 12:42:01 UTC
Red Hat Product Errata RHSA-2025:4019 0 None None None 2025-04-22 23:52:19 UTC
Red Hat Product Errata RHSA-2025:4177 0 None None None 2025-04-30 07:12:18 UTC
Red Hat Product Errata RHSA-2025:4204 0 None None None 2025-04-30 03:48:06 UTC
Red Hat Product Errata RHSA-2025:4211 0 None None None 2025-05-01 03:08:55 UTC
Red Hat Product Errata RHSA-2025:4250 0 None None None 2025-04-28 16:11:11 UTC
Red Hat Product Errata RHSA-2025:4409 0 None None None 2025-05-08 19:54:48 UTC
Red Hat Product Errata RHSA-2025:4422 0 None None None 2025-05-08 19:55:59 UTC
Red Hat Product Errata RHSA-2025:4462 0 None None None 2025-05-05 14:31:46 UTC
Red Hat Product Errata RHSA-2025:4473 0 None None None 2025-05-05 23:34:40 UTC
Red Hat Product Errata RHSA-2025:4502 0 None None None 2025-05-06 06:30:55 UTC
Red Hat Product Errata RHSA-2025:4511 0 None None None 2025-05-06 07:15:50 UTC
Red Hat Product Errata RHSA-2025:4569 0 None None None 2025-05-06 16:40:37 UTC
Red Hat Product Errata RHSA-2025:4669 0 None None None 2025-05-07 14:55:29 UTC
Red Hat Product Errata RHSA-2025:4677 0 None None None 2025-05-15 16:34:58 UTC
Red Hat Product Errata RHSA-2025:4810 0 None None None 2025-05-12 15:06:50 UTC
Red Hat Product Errata RHSA-2025:7404 0 None None None 2025-05-13 11:53:08 UTC
Red Hat Product Errata RHSA-2025:7407 0 None None None 2025-05-13 11:53:28 UTC
Red Hat Product Errata RHSA-2025:7425 0 None None None 2025-05-13 11:56:08 UTC
Red Hat Product Errata RHSA-2025:7475 0 None None None 2025-05-13 15:57:23 UTC
Red Hat Product Errata RHSA-2025:7479 0 None None None 2025-05-13 15:57:56 UTC
Red Hat Product Errata RHSA-2025:7503 0 None None None 2025-05-13 16:00:37 UTC

Description OSIDB Bzimport 2025-03-21 22:01:06 UTC 
golang-jwt is a Go implementation of JSON Web Tokens. Prior to 
5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer  followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Comment 4 errata-xmlrpc 2025-03-27 15:42:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3344 https://access.redhat.com/errata/RHSA-2025:3344
Comment 5 errata-xmlrpc 2025-03-31 14:32:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:3411 https://access.redhat.com/errata/RHSA-2025:3411
Comment 6 errata-xmlrpc 2025-04-02 04:03:39 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:3503 https://access.redhat.com/errata/RHSA-2025:3503
Comment 7 errata-xmlrpc 2025-04-07 01:55:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3616 https://access.redhat.com/errata/RHSA-2025:3616
Comment 8 errata-xmlrpc 2025-04-07 02:03:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3618 https://access.redhat.com/errata/RHSA-2025:3618
Comment 9 errata-xmlrpc 2025-04-08 15:18:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3698 https://access.redhat.com/errata/RHSA-2025:3698
Comment 10 errata-xmlrpc 2025-04-09 04:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3565 https://access.redhat.com/errata/RHSA-2025:3565
Comment 11 errata-xmlrpc 2025-04-09 20:55:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:3569 https://access.redhat.com/errata/RHSA-2025:3569
Comment 12 errata-xmlrpc 2025-04-10 11:37:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3577 https://access.redhat.com/errata/RHSA-2025:3577
Comment 13 errata-xmlrpc 2025-04-15 19:46:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2025:3928 https://access.redhat.com/errata/RHSA-2025:3928
Comment 14 errata-xmlrpc 2025-04-15 19:52:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2025:3929 https://access.redhat.com/errata/RHSA-2025:3929
Comment 15 errata-xmlrpc 2025-04-15 20:29:31 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.7

Via RHSA-2025:3930 https://access.redhat.com/errata/RHSA-2025:3930
Comment 16 errata-xmlrpc 2025-04-16 06:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:3775 https://access.redhat.com/errata/RHSA-2025:3775
Comment 17 errata-xmlrpc 2025-04-16 10:29:40 UTC 
This issue has been addressed in the following products:

  RHOL-5.9-RHEL-9

Via RHSA-2025:3906 https://access.redhat.com/errata/RHSA-2025:3906
Comment 18 errata-xmlrpc 2025-04-16 17:46:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:3798 https://access.redhat.com/errata/RHSA-2025:3798
Comment 19 errata-xmlrpc 2025-04-16 21:35:20 UTC 
This issue has been addressed in the following products:

  RHOL-6.1-RHEL-9

Via RHSA-2025:3907 https://access.redhat.com/errata/RHSA-2025:3907
Comment 20 errata-xmlrpc 2025-04-17 04:04:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:3790 https://access.redhat.com/errata/RHSA-2025:3790
Comment 22 errata-xmlrpc 2025-04-22 23:52:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4019 https://access.redhat.com/errata/RHSA-2025:4019
Comment 23 errata-xmlrpc 2025-04-23 05:52:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:4008 https://access.redhat.com/errata/RHSA-2025:4008
Comment 24 errata-xmlrpc 2025-04-23 12:41:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4012 https://access.redhat.com/errata/RHSA-2025:4012
Comment 25 errata-xmlrpc 2025-04-28 16:11:00 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9

Via RHSA-2025:4250 https://access.redhat.com/errata/RHSA-2025:4250
Comment 26 errata-xmlrpc 2025-04-30 03:47:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4204 https://access.redhat.com/errata/RHSA-2025:4204
Comment 27 errata-xmlrpc 2025-04-30 07:12:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:4177 https://access.redhat.com/errata/RHSA-2025:4177
Comment 28 errata-xmlrpc 2025-05-01 03:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4211 https://access.redhat.com/errata/RHSA-2025:4211
Comment 29 errata-xmlrpc 2025-05-05 14:31:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:4462 https://access.redhat.com/errata/RHSA-2025:4462
Comment 31 errata-xmlrpc 2025-05-05 23:34:29 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.5 for RHEL 9
  multicluster engine for Kubernetes 2.5 for RHEL 8

Via RHSA-2025:4473 https://access.redhat.com/errata/RHSA-2025:4473
Comment 32 errata-xmlrpc 2025-05-06 06:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9

Via RHSA-2025:4502 https://access.redhat.com/errata/RHSA-2025:4502
Comment 33 errata-xmlrpc 2025-05-06 07:15:40 UTC 
This issue has been addressed in the following products:

  RHODF-4.18-RHEL-9

Via RHSA-2025:4511 https://access.redhat.com/errata/RHSA-2025:4511
Comment 35 errata-xmlrpc 2025-05-06 16:40:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:4569 https://access.redhat.com/errata/RHSA-2025:4569
Comment 36 errata-xmlrpc 2025-05-07 14:55:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4669 https://access.redhat.com/errata/RHSA-2025:4669
Comment 37 errata-xmlrpc 2025-05-08 19:54:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:4409 https://access.redhat.com/errata/RHSA-2025:4409
Comment 38 errata-xmlrpc 2025-05-08 19:55:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:4422 https://access.redhat.com/errata/RHSA-2025:4422
Comment 39 errata-xmlrpc 2025-05-12 15:06:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9

Via RHSA-2025:4810 https://access.redhat.com/errata/RHSA-2025:4810
Comment 40 errata-xmlrpc 2025-05-13 11:52:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7404 https://access.redhat.com/errata/RHSA-2025:7404
Comment 41 errata-xmlrpc 2025-05-13 11:53:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7407 https://access.redhat.com/errata/RHSA-2025:7407
Comment 42 errata-xmlrpc 2025-05-13 11:55:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7425 https://access.redhat.com/errata/RHSA-2025:7425
Comment 43 errata-xmlrpc 2025-05-13 15:57:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7475 https://access.redhat.com/errata/RHSA-2025:7475
Comment 44 errata-xmlrpc 2025-05-13 15:57:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7479 https://access.redhat.com/errata/RHSA-2025:7479
Comment 45 errata-xmlrpc 2025-05-13 16:00:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7503 https://access.redhat.com/errata/RHSA-2025:7503
Comment 47 errata-xmlrpc 2025-05-15 16:34:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:4677 https://access.redhat.com/errata/RHSA-2025:4677
Note You need to log in before you can comment on or make changes to this bug.