CVE-2025-30204

CVE-2025-30204 is a denial-of-service vulnerability in the golang-jwt library, a Go implementation of JSON Web Tokens. The issue affects versions starting from 3.2.0 up to but not including 5.2.2 and 4.5.2. Specifically, the parse.ParseUnverified function splits its untrusted input argument—typically from an Authorization header—using strings.Split on periods, resulting in O(n) byte allocations where n is the input length and the constant factor is approximately 16. This leads to excessive memory consumption, classified under CWE-405 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability by crafting a malicious HTTP request with an Authorization header containing "Bearer " followed by a large number of period characters. When the vulnerable parse.ParseUnverified function processes this input, it triggers significant memory allocations, potentially exhausting server resources and causing denial of service through application crashes or severe performance degradation.

Advisories recommend upgrading to golang-jwt versions 5.2.2 or 4.5.2, where the issue is fixed, as detailed in the GitHub security advisory GHSA-mh63-6h87-95cp and associated commits. NetApp's advisory NTAP-20250404-0002 also notes affected products and urges patching.