PT-2025-7796 · Go Jose+5 · Go-Jose+5

Mcpherrin

Published

2025-02-24

Updated

2026-02-20

CVE-2025-27144

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Go JOSE versions 4.0.0 through 4.0.4

Description The issue is related to excessive memory consumption when parsing compact JWS or JWE input. The code uses strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Recommendations For versions 4.0.0 through 4.0.4, update to version 4.0.5 to fix the issue. As a temporary workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of . characters.

Exploit

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALSA-2025:19566

ALSA-2025:7389

ALSA-2025:7397

ALSA-2025:7459

ALSA-2025:7462

ALSA-2025:7467

AZL-57096

AZL-57099

AZL-57102

AZL-57105

AZL-57108

AZL-57111

AZL-57114

AZL-57117

AZL-57120

AZL-57123

AZL-57126

AZL-57129

AZL-57132

AZL-57135

AZL-57138

AZL-57144

AZL-57147

AZL-57153

AZL-57162

AZL-57165

AZL-57168

AZL-57171

AZL-57174

AZL-57177

AZL-57180

AZL-57183

AZL-57186

AZL-57192

AZL-57195

AZL-57198

AZL-57201

AZL-57204

AZL-57207

BDU:2025-08606

CVE-2025-27144

ECHO-B02B-0D2E-92A7

GHSA-C6GW-W398-HV78

GO-2025-3485

INFSA-2025_19594

INFSA-2025_3335

INFSA-2025_7389

INFSA-2025_7391

INFSA-2025_7397

OESA-2025-2176

OESA-2025-2177

OESA-2025-2233

OESA-2025-2258

OESA-2025-2297

OPENSUSE-SU-2025:0080-1

OPENSUSE-SU-2025:14839-1

OPENSUSE-SU-2025:14840-1

OPENSUSE-SU-2025:14865-1

OPENSUSE-SU-2025:14871-1

OPENSUSE-SU-2025:14889-1

OPENSUSE-SU-2025:14909-1

OPENSUSE-SU-2025:14988-1

OPENSUSE-SU-2025:14990-1

OPENSUSE-SU-2025:15158-1

OPENSUSE-SU-2025:15304-1

OPENSUSE-SU-2025:15305-1

OPENSUSE-SU-2025:15307-1

OPENSUSE-SU-2025:20117-1

OPENSUSE-SU-2025_0772-1

OPENSUSE-SU-2025_0775-1

OPENSUSE-SU-2025_0785-1

OPENSUSE-SU-2025_0786-1

OPENSUSE-SU-2025_0811-1

OPENSUSE-SU-2025_0812-1

OPENSUSE-SU-2025_0813-1

OPENSUSE-SU-2025_0980-1

OPENSUSE-SU-2025_1011-1

OPENSUSE-SU-2025_1014-1

OPENSUSE-SU-2025_1017-1

OPENSUSE-SU-2025_1018-1

OPENSUSE-SU-2025_1036-1

OPENSUSE-SU-2025_1037-1

OPENSUSE-SU-2025_1038-1

OPENSUSE-SU-2025_1332-1

OPENSUSE-SU-2025_1333-1

OPENSUSE-SU-2026:10230-1

OPENSUSE-SU-2026:20654-1

OPENSUSE-SU-2026:20730-1

OPENSUSE-SU-2026:20798-1

RHSA-2025:19566

RHSA-2025:19594

RHSA-2025:3061

RHSA-2025:3068

RHSA-2025:3335

RHSA-2025:3593

RHSA-2025:7389

RHSA-2025:7391

RHSA-2025:7397

RHSA-2025:7407

RHSA-2025:7459

RHSA-2025:7462

RHSA-2025:7467

RHSA-2025:7479

RHSA-2025_19594

RHSA-2025_3335

RHSA-2025_7389

RHSA-2025_7391

RHSA-2025_7397

RHSA-2025_7407

SUSE-RU-2025:02091-1

SUSE-RU-2025:02092-1

SUSE-RU-2025:02093-1

SUSE-SU-2025:01985-1

SUSE-SU-2025:0772-1

SUSE-SU-2025:0775-1

SUSE-SU-2025:0785-1

SUSE-SU-2025:0786-1

SUSE-SU-2025:0811-1

SUSE-SU-2025:0812-1

SUSE-SU-2025:0813-1

SUSE-SU-2025:0980-1

SUSE-SU-2025:1009-1

SUSE-SU-2025:1010-1

SUSE-SU-2025:1011-1

SUSE-SU-2025:1014-1

SUSE-SU-2025:1017-1

SUSE-SU-2025:1018-1

SUSE-SU-2025:1036-1

SUSE-SU-2025:1037-1

SUSE-SU-2025:1038-1

SUSE-SU-2025:1332-1

SUSE-SU-2025:1333-1

SUSE-SU-2025:20143-1

SUSE-SU-2025:20179-1

SUSE-SU-2025:20198-1

SUSE-SU-2025:20279-1

SUSE-SU-2025:20363-1

SUSE-SU-2025:20869-1

SUSE-SU-2025_0772-1

SUSE-SU-2025_0785-1

SUSE-SU-2025_0786-1

SUSE-SU-2025_0811-1

SUSE-SU-2025_0812-1

SUSE-SU-2026:0439-1

SUSE-SU-2026:0592-1

Affected Products

Almalinux

Go-Jose

Red Hat

Red Os

Rocky Linux

Suse

PT-2025-7796 · Go Jose+5 · Go-Jose+5

CVE-2025-27144

Weakness Enumeration

Related Identifiers

Affected Products

References · 343