PT-2025-12455 · Unknown+9 · Golang-Jwt+9

Zimbatm

Published

2025-03-21

Updated

2026-05-13

CVE-2025-30204

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions golang-jwt versions prior to 4.5.2 golang-jwt versions prior to 5.2.2

Description The issue affects the parse.ParseUnverified function, which splits untrusted data on periods. This can lead to allocations of O(n) bytes when faced with a malicious request containing many period characters in the Authorization header.

Recommendations For versions prior to 4.5.2, update to version 4.5.2 or later. For versions prior to 5.2.2, update to version 5.2.2 or later. As a temporary workaround, consider restricting the length of the Authorization header to prevent excessive allocations.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-405

Related Identifiers

ALSA-2025:3344

ALSA-2025:4669

ALSA-2025:7404

ALSA-2025:7425

ALSA-2025:7475

ALSA-2025:7967

ALT-PU-2025-7475

AZL-59159

AZL-59162

AZL-59165

AZL-59168

AZL-59169

AZL-59172

AZL-59177

AZL-59180

AZL-59183

AZL-59186

AZL-59193

AZL-59196

AZL-59204

AZL-59207

AZL-59209

AZL-59217

AZL-59220

AZL-59223

AZL-59227

AZL-59229

AZL-59233

AZL-59235

AZL-59239

AZL-59242

AZL-77490

AZL-77493

AZL-77496

AZL-77498

AZL-77508

AZL-77511

AZL-77514

AZL-77517

AZL-77520

AZL-77522

AZL-77535

BDU:2025-08472

CESA-2025_7967

CVE-2025-30204

ECHO-1E35-08AB-F1A8

GHSA-MH63-6H87-95CP

GO-2025-3553

INFSA-2025_3344

INFSA-2025_3411

INFSA-2025_4669

INFSA-2025_7404

INFSA-2025_7425

INFSA-2025_7967

OPENSUSE-SU-2025:14937-1

OPENSUSE-SU-2025:14954-1

OPENSUSE-SU-2025:14956-1

OPENSUSE-SU-2025:14973-1

OPENSUSE-SU-2025:14989-1

OPENSUSE-SU-2025:14990-1

OPENSUSE-SU-2025:15037-1

OPENSUSE-SU-2025:15052-1

OPENSUSE-SU-2025:15054-1

OPENSUSE-SU-2025:15307-1

OPENSUSE-SU-2025:15418-1

OPENSUSE-SU-2025:15419-1

OPENSUSE-SU-2025:15454-1

OPENSUSE-SU-2025:15606-1

OPENSUSE-SU-2025:20117-1

OPENSUSE-SU-2025_1285-1

OPENSUSE-SU-2025_1332-1

OPENSUSE-SU-2026:10099-1

OPENSUSE-SU-2026:10100-1

OPENSUSE-SU-2026:10230-1

OPENSUSE-SU-2026:10255-1

OPENSUSE-SU-2026:10302-1

OPENSUSE-SU-2026:20366-1

OPENSUSE-SU-2026:20620-1

OPENSUSE-SU-2026:20798-1

RHSA-2025:3344

RHSA-2025:3411

RHSA-2025:3616

RHSA-2025:3618

RHSA-2025:3698

RHSA-2025:4462

RHSA-2025:4569

RHSA-2025:4669

RHSA-2025:7404

RHSA-2025:7407

RHSA-2025:7425

RHSA-2025:7475

RHSA-2025:7479

RHSA-2025:7503

RHSA-2025:7967

RHSA-2025:8075

RHSA-2025:8267

RHSA-2025_3344

RHSA-2025_3411

RHSA-2025_4669

RHSA-2025_7404

RHSA-2025_7407

RHSA-2025_7425

RHSA-2025_7967

RHSA-2026:1536

SUSE-SU-2025:02769-1

SUSE-SU-2025:1285-1

SUSE-SU-2025:1332-1

SUSE-SU-2025_02769-1

SUSE-SU-2026:0592-1

SUSE-SU-2026:0641-1

SUSE-SU-2026:0659-1

SUSE-SU-2026:0972-1

SUSE-SU-2026:1118-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Red Hat

Red Os

Rocky Linux

Suse

Golang-Jwt

PT-2025-12455 · Unknown+9 · Golang-Jwt+9

CVE-2025-30204

Weakness Enumeration

Related Identifiers

Affected Products

References · 245