CVE-2025-30204: Golang-jwt Vulnerability: A Comprehensive Analysis

JSON Web Tokens (JWT) have become a popular method of handling authentication and authorization in modern web applications. This post discusses a vulnerability (CVE-2025-30204) in the golang-jwt library, which serves as a Go implementation of JSON Web Tokens.

The vulnerability affects golang-jwt versions prior to 5.2.2 and 4.5.2. Specifically, the ParseUnverified function, which is responsible for splitting JWT tokens, can be exploited by an attacker to cause excessive memory allocations, potentially leading to a Denial-of-Service (DoS) attack. This post will provide an in-depth look at the vulnerability, including relevant code snippets and references to original sources.

A Quick Overview of golang-jwt

_golang-jwt_ is an open-source library that provides a Go implementation of JSON Web Tokens. You can check the repository on GitHub here. Applications built using this library can easily encode/decode, sign/verify, and manage JWTs for authentication and authorization purposes.

What is the root cause of the vulnerability?

The vulnerability lies within the ParseUnverified() function. This function takes an untrusted argument and splits it using the period (.) character. Prior to versions 5.2.2 and 4.5.2, the function incurred excessive memory allocations to the tune of O(n) bytes (where n denotes the length of the function's argument) with a constant factor of approximately 16. The issue has been fixed in versions 5.2.2 and 4.5.2.

Here's a simplified view of the vulnerable code snippet

package jwt

import "strings"

func parseUnverified(tokenString string) (Token, error) {
    parts := strings.Split(tokenString, ".") // <-- This was exploitable!
    ...
}

When an attacker submits a malicious request with an Authorization header containing Bearer followed by a vast number of period characters, the strings.Split() call inside the ParseUnverified() function will cause unintended memory allocations, potentially leading to a DoS attack.

Exploit Details

To exploit this vulnerability, an attacker could craft an HTTP request containing an Authorization header consisting of the word Bearer , immediately followed by a large number of period characters. This would result in the target application allocating an excessive amount of memory, leading to a Denial-of-Service (DoS) attack.

Here's an example of a possible exploit

GET /some/endpoint HTTP/1.1
Host: example.com
Authorization: Bearer ........................................................................

Fixing the Vulnerability

Thankfully, this vulnerability has been addressed in the golang-jwt library in versions 5.2.2 and 4.5.2. By upgrading to these versions, the problem will be resolved. To upgrade, simply update your project's dependencies to include the latest version of the library.

Conclusion

This post has discussed a known vulnerability (CVE-2025-30204) in the golang-jwt library, which could potentially result in a DoS attack. The vulnerability affects versions of the library prior to 5.2.2 and 4.5.2, and it has been fixed in these versions. To mitigate the risk of this issue, it is recommended that developers update to the latest version of the golang-jwt library.

More information and updates related to this vulnerability can be found at the following sources

- golang-jwt GitHub Repository
- golang-jwt Release Notes

Timeline

Published on: 03/21/2025 22:15:26 UTC