CVE-2025-22868

High

Published: 26 February 2025

Published

26 February 2025

Modified

01 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0017 37.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Security Summary

CVE-2025-22868 is a vulnerability in the Go programming language that allows an attacker to pass a malicious malformed token, resulting in unexpected memory consumption during parsing. This issue, associated with CWE-1286, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high-severity denial-of-service risk with no impact on confidentiality or integrity.

Remote attackers require only network access and no privileges or user interaction to exploit the vulnerability. Successful exploitation causes significant memory exhaustion in the affected Go component during token parsing, leading to denial of service through resource depletion.

Mitigation details are outlined in the Go security advisory GO-2025-3488 at https://pkg.go.dev/vuln/GO-2025-3488, with a related issue tracked at https://go.dev/issue/71490 and a fix submitted in code review CL 652155 at https://go.dev/cl/652155. Security practitioners should update to patched Go versions as recommended in these resources.

Details

CWE(s): CWE-1286

Affected Products

jws

≤ 0.27.0

References

https://go.dev/cl/652155
Patch · security@golang.org
https://go.dev/issue/71490
Issue Tracking, Patch · security@golang.org
https://pkg.go.dev/vuln/GO-2025-3488
Third Party Advisory · security@golang.org