CVE-2025-27144

EUVD-2025-4268
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-go-jose-go-jose
focal
dne
jammy
dne
noble
needs-triage
oracular
ignored
plucky
ignored
questing
ignored
resolute
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
apptainer
suse enterprise server 15 SP6
1.4.5-150600.4.12.1
fixed
apptainer-sle15_6
suse enterprise server 15 SP6
1.4.5-150600.4.12.1
fixed
buildah
suse enterprise sap 15 SP6
1.35.5-150500.3.34.1
fixed
suse enterprise sap 15 SP7
1.35.5-150500.3.34.1
fixed
suse enterprise server 15 SP3
1.35.5-150300.8.39.1
fixed
suse enterprise server 15 SP4
1.35.5-150400.3.68.1
fixed
suse enterprise server 15 SP5
1.35.5-150500.3.62.1
fixed
suse enterprise server 15 SP6
1.35.5-150500.3.62.1
fixed
suse enterprise server 15 SP7
1.35.5-150500.3.34.1
fixed
cosign
suse enterprise desktop 15 SP6
2.5.0-150400.3.27.1
fixed
suse enterprise desktop 15 SP7
2.5.0-150400.3.27.1
fixed
suse enterprise sap 15 SP6
2.5.0-150400.3.27.1
fixed
suse enterprise sap 15 SP7
2.5.0-150400.3.27.1
fixed
suse enterprise server 15 SP4
2.5.0-150400.3.27.1
fixed
suse enterprise server 15 SP5
2.5.0-150400.3.27.1
fixed
suse enterprise server 15 SP6
2.5.0-150400.3.27.1
fixed
suse enterprise server 15 SP7
2.5.0-150400.3.27.1
fixed
cosign-bash-completion
suse enterprise desktop 15 SP7
2.5.0-150400.3.27.1
fixed
suse enterprise sap 15 SP7
2.5.0-150400.3.27.1
fixed
suse enterprise server 15 SP7
2.5.0-150400.3.27.1
fixed
cosign-zsh-completion
suse enterprise desktop 15 SP7
2.5.0-150400.3.27.1
fixed
suse enterprise sap 15 SP7
2.5.0-150400.3.27.1
fixed
suse enterprise server 15 SP7
2.5.0-150400.3.27.1
fixed
libsquashfuse0
suse enterprise server 15 SP6
0.5.0-150600.3.2.1
fixed
podman
suse enterprise sap 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP3
4.9.5-150300.9.49.2
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.47.2
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
podman-docker
suse enterprise sap 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.47.2
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
podman-remote
suse enterprise sap 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP3
4.9.5-150300.9.49.2
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.47.2
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
podmansh
suse enterprise sap 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.40.1
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.43.2
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.40.1
fixed
rekor
suse enterprise desktop 15 SP6
1.3.10-150400.4.25.1
fixed
suse enterprise desktop 15 SP7
1.3.10-150400.4.25.1
fixed
suse enterprise sap 15 SP6
1.3.10-150400.4.25.1
fixed
suse enterprise sap 15 SP7
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP4
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP5
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP6
1.3.10-150400.4.25.1
fixed
suse enterprise server 15 SP7
1.3.10-150400.4.25.1
fixed
skopeo
suse enterprise desktop 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.19.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP3
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP4
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP5
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.19.1
fixed
skopeo-bash-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.19.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.19.1
fixed
skopeo-zsh-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.19.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.19.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.19.1
fixed
squashfuse
suse enterprise server 15 SP6
0.5.0-150600.3.2.1
fixed
squashfuse-tools
suse enterprise server 15 SP6
0.5.0-150600.3.2.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
buildah
RHEL 9
2:1.39.4-1.el9_6
fixed
buildah-tests
RHEL 9
2:1.39.4-1.el9_6
fixed
opentelemetry-collector
RHEL 9
0:0.107.0-8.el9_6
fixed
osbuild-composer
RHEL 9
0:132.2-3.el9_6
fixed
osbuild-composer-core
RHEL 9
0:132.2-3.el9_6
fixed
osbuild-composer-worker
RHEL 9
0:132.2-3.el9_6
fixed
podman
RHEL 9
5:5.4.0-9.el9_6
fixed
podman-docker
RHEL 9
5:5.4.0-9.el9_6
fixed
podman-plugins
RHEL 9
5:5.4.0-9.el9_6
fixed
podman-remote
RHEL 9
5:5.4.0-9.el9_6
fixed
podman-tests
RHEL 9
5:5.4.0-9.el9_6
fixed
skopeo
RHEL 9
2:1.18.1-1.el9_6
fixed
skopeo-tests
RHEL 9
2:1.18.1-1.el9_6
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
containerd
Amazon Linux 2023
0:1.7.27-1.amzn2023.0.2
fixed
containerd-debuginfo
Amazon Linux 2023
0:1.7.27-1.amzn2023.0.2
fixed
containerd-debugsource
Amazon Linux 2023
0:1.7.27-1.amzn2023.0.2
fixed
containerd-stress
Amazon Linux 2023
0:1.7.27-1.amzn2023.0.2
fixed
containerd-stress-debuginfo
Amazon Linux 2023
0:1.7.27-1.amzn2023.0.2
fixed
nerdctl
Amazon Linux 2
0:2.0.4-1.amzn2.0.1
fixed
Amazon Linux 2023
0:2.0.4-1.amzn2023.0.1
fixed
nerdctl-debuginfo
Amazon Linux 2
0:2.0.4-1.amzn2.0.1
fixed
runfinch-finch
Amazon Linux 2023
0:1.7.1-1.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
buildah
Azure Linux 3.0
0:1.41.4-2.azl3
fixed
cert-manager
Azure Linux 3.0
0:1.12.15-2.azl3
fixed
CBL-Mariner 2.0
0:1.11.2-19.cm2
fixed
containerd
Azure Linux 3.0
0:1.7.13-7.azl3
fixed
containerd2
Azure Linux 3.0
0:2.0.0-6.azl3
fixed
containerized-data-importer
Azure Linux 3.0
0:1.57.0-13.azl3
fixed
CBL-Mariner 2.0
0:1.55.0-23.cm2
fixed
cri-o
CBL-Mariner 2.0
0:1.22.3-12.cm2
fixed
dcos-cli
Azure Linux 3.0
0:1.2.0-17.azl3
fixed
CBL-Mariner 2.0
0:1.2.0-20.cm2
fixed
gh
Azure Linux 3.0
0:2.62.0-7.azl3
fixed
ig
Azure Linux 3.0
0:0.37.0-2.azl3
fixed
influxdb
Azure Linux 3.0
0:2.7.5-2.azl3
fixed
CBL-Mariner 2.0
0:2.6.1-21.cm2
fixed
keda
Azure Linux 3.0
0:2.14.1-3.azl3
fixed
CBL-Mariner 2.0
0:2.4.0-27.cm2
fixed
kube-vip-cloud-provider
CBL-Mariner 2.0
0:0.0.2-20.cm2
fixed
kubernetes
Azure Linux 3.0
0:1.30.10-3.azl3
fixed
CBL-Mariner 2.0
0:0.0.0.cm2
fixed
moby-containerd
CBL-Mariner 2.0
0:1.6.26-10.cm2
fixed
moby-containerd-cc
Azure Linux 3.0
0:1.7.7-9.azl3
fixed
CBL-Mariner 2.0
0:1.7.7-11.cm2
fixed
packer
Azure Linux 3.0
0:1.9.5-6.azl3
fixed
CBL-Mariner 2.0
0:1.9.5-9.cm2
fixed
podman
Azure Linux 3.0
0:5.6.1-2.azl3
fixed
rook
CBL-Mariner 2.0
0:1.6.2-25.cm2
fixed
skopeo
Azure Linux 3.0
0:1.14.4-4.azl3
fixed
CBL-Mariner 2.0
0:1.14.2-10.cm2
fixed
telegraf
Azure Linux 3.0
0:1.31.0-8.azl3
fixed
CBL-Mariner 2.0
0:1.29.4-12.cm2
fixed