CVE-2025-30204 - Vulnerability Details

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Cryostat Enterprise Linux Openshift Openshift Distributed Tracing Rhel Eus Trusted Artifact Signer

No data.

Package	CPE	Advisory	Released Date
Cryostat 4 on RHEL 9
cryostat/cryostat-agent-init-rhel9:0.5.0-9	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-db-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-grafana-dashboard-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-openshift-console-plugin-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-operator-bundle:4.0.0-9	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-ose-oauth-proxy-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-reports-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-rhel9-operator:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/cryostat-storage-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
cryostat/jfr-datasource-rhel9:4.0.0-10	cpe:/a:redhat:cryostat:4::el9	RHSA-2025:3503	2025-04-02T00:00:00Z
Red Hat Enterprise Linux 9
grafana-0:10.2.6-9.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3344	2025-03-27T00:00:00Z
opentelemetry-collector-0:0.107.0-10.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3411	2025-03-31T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
grafana-0:9.0.9-6.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:3616	2025-04-07T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
grafana-0:9.2.10-22.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:3618	2025-04-07T00:00:00Z
opentelemetry-collector-0:0.107.0-8.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:3698	2025-04-08T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4/ose-azure-workload-identity-webhook-rhel8:v4.14.0-202504020335.p0.g2cb8201.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2025:3569	2025-04-09T00:00:00Z
openshift4/ose-cloud-credential-operator:v4.14.0-202504011810.p0.g07cf957.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2025:3569	2025-04-09T00:00:00Z
Red Hat OpenShift Container Platform 4.17
openshift4/ose-azure-workload-identity-webhook-rhel9:v4.17.0-202504010735.p0.g6707f89.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:3565	2025-04-09T00:00:00Z
openshift4/ose-cloud-credential-rhel9-operator:v4.17.0-202504010735.p0.gb00cc87.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:3565	2025-04-09T00:00:00Z
Red Hat OpenShift Container Platform 4.18
openshift4/ose-aws-cluster-api-controllers-rhel9:v4.18.0-202504021503.p0.g59febef.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3577	2025-04-10T00:00:00Z
openshift4/ose-azure-workload-identity-webhook-rhel9:v4.18.0-202504021503.p0.gf60e402.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3577	2025-04-10T00:00:00Z
openshift4/ose-cloud-credential-rhel9-operator:v4.18.0-202504021503.p0.gce6f538.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3577	2025-04-10T00:00:00Z
Red Hat OpenShift distributed tracing 3.5.1
registry.redhat.io/rhosdt/tempo-gateway-rhel8:sha256:133f4f1087b0e199f211007ceb2aeae9b9202c5961e812ea4aa037d375a93415	cpe:/a:redhat:openshift_distributed_tracing:3.5::el8	RHSA-2025:3607	2025-04-04T00:00:00Z
registry.redhat.io/rhosdt/tempo-gateway-rhel8:sha256:9502242017d18e1d0b643a93e769b302a38799a9d719e703b64801d65e11dcd4	cpe:/a:redhat:openshift_distributed_tracing:3.5::el8	RHSA-2025:3740	2025-04-09T00:00:00Z
registry.redhat.io/rhosdt/opentelemetry-collector-rhel8:sha256:b7f6e9442ee2ae2b7122a9732eaa11a85b1f0264e60963819c7e5150c1457740	cpe:/a:redhat:openshift_distributed_tracing:3.5::el8	RHSA-2025:3743	2025-04-09T00:00:00Z
Red Hat Trusted Artifact Signer 1.1
registry.redhat.io/rhtas/createtree-rhel9:sha256:d9ff8413f1d106cb5084b48b73b205db6dd5ad82818be4111c5cb118d9d135ae	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3808	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/trillian-database-rhel9:sha256:7ce611aefdfedd8b2a633def482cf41f390c95b8f8c800b6163a585f117a9e2e	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3808	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/trillian-logserver-rhel9:sha256:76c24a38ac89ed632d38e44049f37e4997abfa27fa8cadbb8afb42575031296f	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3808	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/trillian-logsigner-rhel9:sha256:1f5a30a285a16635a7234c3c1763dfb385c8bffd605fc862b782bdb5c6c61ea3	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3808	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/trillian-redis-rhel9:sha256:5a752cefdaf28bfc53847185cdd5fef1ee47e3dcff8472f8a8bf7bbdc224ef57	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3808	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/updatetree-rhel9:sha256:8651f55805f4b32a7ca351caa642b74f88493ca3dfb52ff57cf3c2dbdbf829f7	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3808	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/certificate-transparency-rhel9:sha256:dc994a95be22b0f4bab022fc362c4f44c6a7d1887a2eb0d04870d75654ec013b	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3811	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/timestamp-authority-rhel9:sha256:796860a3e85712c60398c36983e0ff4d45325c7a4de869da2ebf1b6ba4b19825	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3813	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/rekor-backfill-redis-rhel9:sha256:6131053778ea04e437f3005f90d1138aa11ebc58e3a9295e2a8d8ef6713a52be	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3814	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/rekor-cli-rhel9:sha256:4bd68a4b63c15e5a09127d93a20e98508ce2ce8e4649bea3ab8e30cd83f235b2	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3814	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/rekor-server-rhel9:sha256:3b8f49c41df15022f8ffdf3a8f8605b14c14f4e10eae754a06a86b6585d158b3	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3814	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/cosign-rhel9:sha256:2a2aa8c1a224419be83afe46b0226e168927c19c8bd3f9c4e562e5e5caebb6a9	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3820	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/gitsign-rhel9:sha256:bef55c43000f266cdb7cf6ea525f7c52f2ee532b7b487ae9752aac31ebded40f	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3820	2025-04-10T00:00:00Z

References

Link	Providers
https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
https://nvd.nist.gov/vuln/detail/CVE-2025-30204
https://security.netapp.com/advisory/ntap-20250404-0002/
https://www.cve.org/CVERecord?id=CVE-2025-30204

History

Fri, 11 Apr 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat trusted Artifact Signer
CPEs		cpe:/a:redhat:openshift:4.18::el9 cpe:/a:redhat:trusted_artifact_signer:1.1::el9
Vendors & Products		Redhat trusted Artifact Signer

Thu, 10 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.14::el8

Thu, 10 Apr 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description	golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.	golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
References		https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb

Wed, 09 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift
CPEs		cpe:/a:redhat:openshift:4.17::el9
Vendors & Products		Redhat openshift

Mon, 07 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4
Vendors & Products		Redhat rhel Eus

Sat, 05 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Distributed Tracing
CPEs		cpe:/a:redhat:openshift_distributed_tracing:3.5::el8
Vendors & Products		Redhat openshift Distributed Tracing

Sat, 05 Apr 2025 00:45:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250404-0002/

Sat, 05 Apr 2025 00:15:00 +0000

Type	Values Removed	Values Added
References	https://security.netapp.com/advisory/ntap-20250404-0002/

Sat, 05 Apr 2025 00:00:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250404-0002/

Wed, 02 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat cryostat
CPEs		cpe:/a:redhat:cryostat:4::el9
Vendors & Products		Redhat cryostat

Fri, 28 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Mon, 24 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-30204 https://www.cve.org/CVERecord?id=CVE-2025-30204
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 21 Mar 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Title		jwt-go allows excessive memory allocation during header parsing
Weaknesses		CWE-405
References		https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-03-21T21:42:01.382Z

Updated: 2025-04-10T13:03:19.897Z

Reserved: 2025-03-18T18:15:13.849Z

Link: CVE-2025-30204

Vulnrichment

Updated: 2025-04-04T23:03:13.309Z

NVD

Status : Awaiting Analysis

Published: 2025-03-21T22:15:26.420

Modified: 2025-04-10T13:15:52.097

Link: CVE-2025-30204

Redhat

Severity : Important

Publid Date: 2025-03-21T21:42:01Z

Links: CVE-2025-30204 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object