CVE-2025-27144

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27144

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-27144.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-27144

Aliases

Downstream

DEBIAN-CVE-2025-27144

MINI-56qp-4hrm-g2cg

MINI-5c26-v7h4-6649

MINI-96j5-m6vp-q457

MINI-98f4-8fh4-xx5q

MINI-c2r8-8347-5c8j

MINI-cch2-7gp7-pqj7

MINI-cw65-mxmp-c5hp

MINI-fjph-7vr4-rgx6

MINI-hjp8-w4pp-3qhr

MINI-mjmf-3gx2-35w5

MINI-p77v-j94p-hxx6

MINI-p95r-24gv-vr57

MINI-pcwh-p4cq-cgvr

MINI-rvhc-r8p7-h9fv

MINI-vrh9-j9c8-x7hm

MINI-w9h4-hvm6-xww9

MINI-wjpm-j337-hxpq

MINI-xc7f-vrxx-344q

MINI-xvj6-qf8r-mvm5

OESA-2025-2176

OESA-2025-2177

OESA-2025-2233

OESA-2025-2258

OESA-2025-2297

RHSA-2025:3061

RHSA-2025:3068

RHSA-2025:3335

RHSA-2025:3593

RHSA-2025:7389

RHSA-2025:7391

RHSA-2025:7397

RHSA-2025:7407

RHSA-2025:7459

RHSA-2025:7462

RHSA-2025:7467

RHSA-2025:7479

RLSA-2025:7389

RLSA-2025:7391

RLSA-2025:7397

RLSA-2025:7459

RLSA-2025:7462

RLSA-2025:7467

RLSA-2025:7479

SUSE-RU-2025:02091-1

SUSE-RU-2025:02092-1

SUSE-RU-2025:02093-1

SUSE-SU-2025:01985-1

SUSE-SU-2025:0772-1

SUSE-SU-2025:0775-1

SUSE-SU-2025:0785-1

SUSE-SU-2025:0786-1

SUSE-SU-2025:0811-1

SUSE-SU-2025:0812-1

SUSE-SU-2025:0813-1

SUSE-SU-2025:0980-1

SUSE-SU-2025:1009-1

SUSE-SU-2025:1010-1

SUSE-SU-2025:1011-1

SUSE-SU-2025:1014-1

SUSE-SU-2025:1017-1

SUSE-SU-2025:1018-1

SUSE-SU-2025:1036-1

SUSE-SU-2025:1037-1

SUSE-SU-2025:1038-1

SUSE-SU-2025:1332-1

SUSE-SU-2025:1333-1

UBUNTU-CVE-2025-27144

openSUSE-SU-2025:0080-1

openSUSE-SU-2025:14839-1

openSUSE-SU-2025:14840-1

openSUSE-SU-2025:14865-1

openSUSE-SU-2025:14871-1

openSUSE-SU-2025:14889-1

openSUSE-SU-2025:14909-1

openSUSE-SU-2025:14988-1

openSUSE-SU-2025:14990-1

Related

Published

2025-02-24T22:22:22Z

Modified

2025-10-20T20:30:40.711163Z

Severity

6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Go JOSE's Parsing Vulnerable to Denial of Service

Details

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of . characters.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/go-jose/go-jose

Affected ranges

Type: GIT
Repo: https://github.com/go-jose/go-jose
Events: Introduced

2658f467ede28af28a7883041677ff460dda3f69

Fixed

99b346cec4e86d102284642c5dcbe9bb0cacfc22

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4