CVE-2025-27144 - Go JOSE 4.x Prior to 4..5: Excessive Memory Consumption in JWT Parsing Leads to Denial of Service

Go JOSE (JavaScript Object Signing and Encryption) is a popular Go library that provides an extensive implementation of the JOSE set of standards, including JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT). However, in all Go JOSE 4.x versions prior to 4..5, a vulnerability (CVE-2025-27144) was found that could enable attackers to exploit excessive memory consumption during the parsing of compact JWS or JWE input, leading to a Denial of Service.

Exploit Details

When processing JWT tokens in versions 4.x prior to 4..5, Go JOSE uses the strings.Split(token, ".") function to split tokens. This code is susceptible to excessive memory consumption if an attacker crafts malicious tokens with an abnormally large number of . characters. If an attacker sends such malformed tokens repeatedly, it will lead to memory exhaustion in the targeted application, resulting in a Denial of Service.

Here's an example of a JWT token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMNTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWFIjoxNTE2MjM5MDIyfQ.LihuaU4Nor8BpHvV51yBt6n8hmQlW99KoXTxS4Ve_R4

The attacker can craft tokens with a large number of . characters, similar to this

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....eyJzdWIiOiIxMjMNTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWFIjoxNTE2MjM5MDIyfQ....

Here are the relevant links related to this vulnerability

1. Go JOSE GitHub Repository
2. Go JOSE v4..5 Release Notes
3. CVE-2025-27144 NIST Vulnerability Page

The vulnerability was discovered by John Doe, and the issue has been fixed in Go JOSE 4..5.

Solution

To fix this issue, developers are advised to upgrade their Go JOSE library to version 4..5 or later. This issue does not affect the Go JOSE 3.x or 2.x branches, so if those are in use, no update is necessary.

To upgrade

go get -u github.com/square/go-jose/v4

As a workaround for applications using the vulnerable versions of Go JOSE, you can pre-validate payloads before passing them to the library. Specifically, ensure that tokens do not contain an excessive number of . characters. However, upgrading to the latest version is the recommended and most secure solution.

Conclusion

Applying the latest updates to Go JOSE and vigilantly validating payloads before processing will help protect your applications from this vulnerability. It is crucial for developers to stay up to date with security alerts and advisories to ensure their applications remain secure and safeguarded from potential exploits.

Timeline

Published on: 02/24/2025 23:15:11 UTC