CVE-2025-22868

High

Published: 26 February 2025

Published

26 February 2025

Modified

01 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0013 31.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22868 is a high-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Go Jws. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the Go vulnerability through patching to eliminate memory exhaustion during malformed token parsing.

SC-5 Denial-of-service Protection good match

prevent

Directly protects against denial-of-service attacks causing resource exhaustion like unexpected memory consumption from malformed tokens.

SI-10 Information Input Validation partial match

prevent

Validates information inputs such as tokens to reject malformed ones before they trigger the vulnerable parsing mechanism in Go.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of a Go token parser to cause memory exhaustion and denial of service via crafted input, directly mapping to application/system exploitation for resource depletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Deeper analysisAI

CVE-2025-22868 is a vulnerability in the Go programming language that allows an attacker to pass a malicious malformed token, resulting in unexpected memory consumption during parsing. This issue, associated with CWE-1286, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high-severity denial-of-service risk with no impact on confidentiality or integrity.

Remote attackers require only network access and no privileges or user interaction to exploit the vulnerability. Successful exploitation causes significant memory exhaustion in the affected Go component during token parsing, leading to denial of service through resource depletion.

Mitigation details are outlined in the Go security advisory GO-2025-3488 at https://pkg.go.dev/vuln/GO-2025-3488, with a related issue tracked at https://go.dev/issue/71490 and a fix submitted in code review CL 652155 at https://go.dev/cl/652155. Security practitioners should update to patched Go versions as recommended in these resources.

Details

CWE(s): CWE-1286

Affected Products

jws

≤ 0.27.0

CVEs Like This One

CVE-2025-22869Same vendor: Go

CVE-2025-0638Shared CWE-1286

CVE-2026-21917Shared CWE-1286

CVE-2026-33778Shared CWE-1286

CVE-2025-59785Shared CWE-1286

CVE-2025-41719Shared CWE-1286

CVE-2026-40198Shared CWE-1286

CVE-2026-6442Shared CWE-1286

CVE-2026-25513Shared CWE-1286

References

https://go.dev/cl/652155
Patch · security@golang.org
https://go.dev/issue/71490
Issue Tracking, Patch · security@golang.org
https://pkg.go.dev/vuln/GO-2025-3488
Third Party Advisory · security@golang.org