CVE-2025-30204
📋 TL;DR
This vulnerability in golang-jwt allows attackers to cause denial of service through resource exhaustion by sending malicious JWT tokens with many period characters. The parse.ParseUnverified function allocates excessive memory when processing these tokens, potentially crashing affected services. Any Go application using vulnerable versions of golang-jwt for JWT parsing is affected.
💻 Affected Systems
- golang-jwt/jwt library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Service crashes due to memory exhaustion, leading to complete denial of service and potential service unavailability.
Likely Case
Degraded performance and increased memory usage, potentially causing intermittent service disruptions.
If Mitigated
Minimal impact with proper rate limiting and input validation in place.
🎯 Exploit Status
Exploitation requires sending specially crafted JWT tokens. No authentication needed if the service accepts external JWT tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.2 or 4.5.2
Vendor Advisory: https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
Restart Required: Yes
Instructions:
1. Update go.mod to require golang-jwt/jwt v5.2.2 or v4.5.2
2. Run 'go mod tidy'
3. Rebuild and redeploy your application
4. Restart affected services
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement input validation to reject JWT tokens with excessive periods before they reach parse.ParseUnverified
// Go code example: if strings.Count(token, ".") > 2 { return error }
Rate Limiting
allImplement rate limiting on authentication endpoints to limit impact of repeated malicious requests
🧯 If You Can't Patch
- Implement WAF rules to block requests with Authorization headers containing excessive period characters
- Deploy reverse proxy with request size limits and input validation before requests reach vulnerable services
🔍 How to Verify
Check if Vulnerable:
Check go.mod or go.sum for golang-jwt/jwt version. Vulnerable if version >=3.2.0 and <5.2.2, or >=4.0.0 and <4.5.2Check Version:
go list -m all | grep golang-jwt/jwtVerify Fix Applied:
Verify go.mod requires golang-jwt/jwt v5.2.2+ or v4.5.2+. Run 'go list -m all | grep jwt' to confirm version📡 Detection & Monitoring
Log Indicators:
- High memory usage spikes
- Application crashes or restarts
- Multiple failed authentication attempts with similar patterns
Network Indicators:
- HTTP requests with Authorization headers containing many period characters
- Unusually large Authorization headers
SIEM Query:
source="application_logs" AND ("out of memory" OR "panic" OR "crash") AND process="your_app_name"