{"id":"CVE-2025-30204","summary":"jwt-go allows excessive memory allocation during header parsing","details":"golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer  followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.","aliases":["GHSA-mh63-6h87-95cp","GO-2025-3553"],"modified":"2026-04-10T05:24:41.912507Z","published":"2025-03-21T21:42:01.382Z","related":["ALSA-2025:3344","ALSA-2025:4669","ALSA-2025:7404","ALSA-2025:7425","ALSA-2025:7475","ALSA-2025:7967","CGA-mpmq-7q6x-72g6","SUSE-SU-2025:02769-1","SUSE-SU-2025:1285-1","SUSE-SU-2025:1332-1","SUSE-SU-2026:0592-1","SUSE-SU-2026:0641-1","SUSE-SU-2026:0659-1","SUSE-SU-2026:0972-1","SUSE-SU-2026:1118-1","openSUSE-SU-2025:14937-1","openSUSE-SU-2025:14954-1","openSUSE-SU-2025:14956-1","openSUSE-SU-2025:14973-1","openSUSE-SU-2025:14989-1","openSUSE-SU-2025:14990-1","openSUSE-SU-2025:15037-1","openSUSE-SU-2025:15052-1","openSUSE-SU-2025:15054-1","openSUSE-SU-2025:15307-1","openSUSE-SU-2025:15418-1","openSUSE-SU-2025:15419-1","openSUSE-SU-2025:15454-1","openSUSE-SU-2025:15606-1","openSUSE-SU-2025:20117-1","openSUSE-SU-2026:10099-1","openSUSE-SU-2026:10100-1","openSUSE-SU-2026:10230-1","openSUSE-SU-2026:10255-1","openSUSE-SU-2026:10302-1","openSUSE-SU-2026:20366-1"],"database_specific":{"cwe_ids":["CWE-405"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30204.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30204.json"},{"type":"ADVISORY","url":"https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30204"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250404-0002/"},{"type":"FIX","url":"https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"},{"type":"FIX","url":"https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang-jwt/jwt","events":[{"introduced":"06ea1031745cb8b3dab3f6a236daf2b0aa468b7e"},{"fixed":"2f0e9add62078527821828c76865661aa7718a84"}],"database_specific":{"versions":[{"introduced":"3.2.0"},{"fixed":"4.5.2"}]}},{"type":"GIT","repo":"https://github.com/golang-jwt/jwt","events":[{"introduced":"148d71010923ca691c950db9846191800f498f8d"},{"fixed":"0951d184286dece21f73c85673fd308786ffe9c3"}],"database_specific":{"versions":[{"introduced":"5.0.0-rc.1"},{"fixed":"5.2.2"}]}}],"versions":["v3.2.0","v3.2.1","v3.2.2","v4.0.0","v4.1.0","v4.2.0","v4.3.0","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.5.0","v4.5.1","v5.0.0","v5.0.0-rc.1","v5.0.0-rc.2","v5.1.0","v5.2.0","v5.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30204.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}