CVE-2025-22868 — Improper Validation of Syntactic Correctness of Input in X Oauth2 Golang.org X Oauth2 JWS

CWE-1286 — Improper Validation of Syntactic Correctness of Input CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling10 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 61.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X Oauth2 Golang.org X Oauth2 JWS Github.com Go-jose Go-jose Github.com Go-jose Go-jose V3 +24 more

Timeline

PublishedFeb 26

Latest updateJul 18

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages27 packages

▶NVDgo/jws< 0.27.0

▶Gogolang.org/x_oauth2< 0.27.0

▶Gogithub.com/go-jose_go-jose< 3.0.4

▶Gogithub.com/go-jose_go-jose_v3< 3.0.4

▶Gogithub.com/go-jose_go-jose_v4< 4.0.5

Patches

Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

GHSA

golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability↗2025-07-18

▶

OSV

golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability↗2025-07-18

▶

OSV

Unexpected memory consumption during token parsing in golang.org/x/oauth2↗2025-02-26

▶

OSV

CVE-2025-22868: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing↗2025-02-26

▶

GHSA

DoS in go-jose Parsing↗2025-02-24

▶

📋Vendor Advisories

Red Hat

golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws↗2025-02-26

▶

Microsoft

Unexpected memory consumption during token parsing in golang.org/x/oauth2↗2025-02-11

▶

Debian

CVE-2025-22868: golang-golang-x-oauth2 - An attacker can pass a malicious malformed token which causes unexpected memory ...↗2025

▶