Headline
GHSA-c6gw-w398-hv78: DoS in go-jose Parsing
Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, “.”) to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of ‘.’ characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Patches
Version 4.0.5 fixes this issue
Workarounds
Applications could pre-validate payloads passed to go-jose do not contain an excessive number of ‘.’ characters.
References
This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.
Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, “.”) to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of ‘.’ characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Patches
Version 4.0.5 fixes this issue
Workarounds
Applications could pre-validate payloads passed to go-jose do not contain an excessive number of ‘.’ characters.
References
This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.
References
- GHSA-c6gw-w398-hv78
- golang/go#71490
- go-jose/go-jose@99b346c
- https://go.dev/issue/71490