CVE-2025-22868

NameCVE-2025-22868
DescriptionAn attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1098967

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-golang-x-oauth2 (PTS)bullseye0.0~git20190604.0f29369-2vulnerable
bookworm0.3.0-1vulnerable
sid, trixie0.27.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-golang-x-oauth2source(unstable)0.27.0-11098967

Notes

[bookworm] - golang-golang-x-oauth2 <no-dsa> (Minor issue)
[bullseye] - golang-golang-x-oauth2 <ignored> (minor bug; DoS and at least 144 packages to rebuild)
https://pkg.go.dev/vuln/GO-2025-3488
https://go-review.googlesource.com/c/oauth2/+/652155
https://github.com/golang/go/issues/71490
Search for package or bug name: Reporting problems