CVE-2025-22868
Published: 26 February 2025
Summary
CVE-2025-22868 is a high-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Go Jws. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22868 is a vulnerability in the Go programming language that allows an attacker to pass a malicious malformed token, resulting in unexpected memory consumption during parsing. This issue, associated with CWE-1286, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high-severity denial-of-service risk with no impact on confidentiality or integrity.
Remote attackers require only network access and no privileges or user interaction to exploit the vulnerability. Successful exploitation causes significant memory exhaustion in the affected Go component during token parsing, leading to denial of service through resource depletion.
Mitigation details are outlined in the Go security advisory GO-2025-3488 at https://pkg.go.dev/vuln/GO-2025-3488, with a related issue tracked at https://go.dev/issue/71490 and a fix submitted in code review CL 652155 at https://go.dev/cl/652155. Security practitioners should update to patched Go versions as recommended in these resources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5341
Vulnerability details
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a Go token parser to cause memory exhaustion and denial of service via crafted input, directly mapping to application/system exploitation for resource depletion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the Go vulnerability through patching to eliminate memory exhaustion during malformed token parsing.
Directly protects against denial-of-service attacks causing resource exhaustion like unexpected memory consumption from malformed tokens.
Validates information inputs such as tokens to reject malformed ones before they trigger the vulnerable parsing mechanism in Go.