CVE-2025-30204
Published: 21 March 2025
Summary
CVE-2025-30204 is a high-severity Amplification (CWE-405) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the flaw in the golang-jwt library through patching to fixed versions 5.2.2 or 4.5.2.
Provides denial-of-service protection mechanisms such as rate limiting or input throttling to prevent memory exhaustion from malicious Authorization headers with excessive periods.
Requires validation of untrusted inputs like Authorization headers for length, format, and content to block malformed JWT payloads before processing by parse.ParseUnverified.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables an attacker to cause application DoS via memory exhaustion by sending a single crafted HTTP request exploiting the JWT parsing flaw, matching T1499.004 Application or System Exploitation.
NVD Description
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result,…
more
in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Deeper analysisAI
CVE-2025-30204 is a denial-of-service vulnerability in the golang-jwt library, a Go implementation of JSON Web Tokens. The issue affects versions starting from 3.2.0 up to but not including 5.2.2 and 4.5.2. Specifically, the parse.ParseUnverified function splits its untrusted input argument—typically from an Authorization header—using strings.Split on periods, resulting in O(n) byte allocations where n is the input length and the constant factor is approximately 16. This leads to excessive memory consumption, classified under CWE-405 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this vulnerability by crafting a malicious HTTP request with an Authorization header containing "Bearer " followed by a large number of period characters. When the vulnerable parse.ParseUnverified function processes this input, it triggers significant memory allocations, potentially exhausting server resources and causing denial of service through application crashes or severe performance degradation.
Advisories recommend upgrading to golang-jwt versions 5.2.2 or 4.5.2, where the issue is fixed, as detailed in the GitHub security advisory GHSA-mh63-6h87-95cp and associated commits. NetApp's advisory NTAP-20250404-0002 also notes affected products and urges patching.
Details
- CWE(s)