Summary
Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.
As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)
Details
Impact
Excessive memory allocation
References:- https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
- https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
- https://nvd.nist.gov/vuln/detail/CVE-2025-30204
- https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
- https://security.netapp.com/advisory/ntap-20250404-0002
- https://github.com/advisories/GHSA-mh63-6h87-95cp