6.6

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27144

GHSA ID

GHSA-c6gw-w398-hv78

EPSS Score

0.16917%

CWE

CWE-400

Published

2/24/2025

Updated

2/26/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27144

CVE-2025-27144:
DoS in go-jose Parsing

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

(GitHub Advisory)

6.6

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27144

GHSA ID

GHSA-c6gw-w398-hv78

EPSS Score

0.16917%

CWE

CWE-400

Published

2/24/2025

Updated

2/26/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/go-jose/go-jose/v4	go	< 4.0.5	4.0.5
github.com/go-jose/go-jose/v3	go	< 3.0.4	3.0.4
github.com/go-jose/go-jose	go	< 3.0.4	3.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that the strings.Split(token, ".") call was the source of excessive memory consumption. The provided commit 99b346cec4e86d102284642c5dcbe9bb0cacfc22 shows changes in two functions, ParseEncryptedCompact in jwe.go and parseSignedCompact in jws.go. In both functions, the vulnerable strings.Split(input, ".") call was replaced with strings.SplitN(input, ".", n) and an additional check using strings.Count(input, ".") was added to ensure the correct number of parts before splitting. This directly addresses the described vulnerability. The test file jws_test.go was also updated with test cases for tokens with an excessive number of parts, further confirming these functions were the ones affected.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n p*rsin* *omp**t JWS or JW* input, *o-jos* *oul* us* *x**ssiv* m*mory. T** *o** us** strin*s.Split(tok*n, ".") to split JWT tok*ns, w*i** is vuln*r**l* to *x**ssiv* m*mory *onsumption w**n pro**ssin* m*li*iously *r**t** tok*ns wit* * l

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t t** `strin*s.Split(tok*n, ".")` **ll w*s t** sour** o* *x**ssiv* m*mory *onsumption. T** provi*** *ommit `****************************************` s*ows ***n**s in two *un*tions, `P*rs**n*rypt***omp**t` in `

6.6

Basic Information

Concerned about an active attack path?

CVE-2025-27144: DoS in go-jose Parsing

Impact

Patches

Workarounds

References

6.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-27144:
DoS in go-jose Parsing

Vulnerability Intelligence
Miggo AI