CVE-2025-27144Allocation of Resources Without Limits or Throttling in Go-jose Go-jose

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
6.6MEDIUMNVD
GHSA7.5OSV7.5
EPSS
0.1%
top 70.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Go-jose Go-joseGithub.com Go-jose Go-jose V3Github.com Go-jose Go-jose V4+1 more
Timeline
PublishedFeb 24
Latest updateMar 3

Description

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted toke

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5go-jose/go-jose>= 4.0.0, < 4.0.5

🔴Vulnerability Details

5
OSV
DoS in go-jose Parsing in github.com/go-jose/go-jose2025-03-03
GHSA
DoS in go-jose Parsing2025-02-24
OSV
DoS in go-jose Parsing2025-02-24
OSV
CVE-2025-27144: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (2025-02-24
CVEList
Go JOSE's Parsing Vulnerable to Denial of Service2025-02-24

📋Vendor Advisories

3
Red Hat
go-jose: Go JOSE's Parsing Vulnerable to Denial of Service2025-02-24
Microsoft
Go JOSE's Parsing Vulnerable to Denial of Service2025-02-11
Debian
CVE-2025-27144: golang-github-go-jose-go-jose - Go JOSE provides an implementation of the Javascript Object Signing and Encrypti...2025
CVE-2025-27144 — Go-jose Go-jose vulnerability | cvebase