{"id":"GO-2025-3488","summary":"Unexpected memory consumption during token parsing in golang.org/x/oauth2","details":"An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.","aliases":["CVE-2025-22868","GHSA-6v2p-p543-phr9"],"modified":"2026-03-24T23:55:16.543914Z","published":"2025-02-26T02:51:51Z","related":["CGA-9qp8-wmc2-2x5f","RHSA-2025:3335","RHSA-2025:3593","RHSA-2025:7407","RHSA-2025:7479"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3488","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/652155"},{"type":"REPORT","url":"https://go.dev/issue/71490"}],"affected":[{"package":{"name":"golang.org/x/oauth2","ecosystem":"Go","purl":"pkg:golang/golang.org/x/oauth2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.27.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Verify"],"path":"golang.org/x/oauth2/jws"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3488.json"}}],"schema_version":"1.7.5","credits":[{"name":"jub0bs"}]}