CVE-2025-30204

Name	CVE-2025-30204
Description	golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-golang-jwt-jwt (PTS)	bookworm	4.4.3-1	vulnerable
	sid, trixie	5.0.0+really4.5.2-1	fixed
golang-github-golang-jwt-jwt-v5 (PTS)	sid, trixie	5.2.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-github-golang-jwt-jwt	source	(unstable)	5.0.0+really4.5.2-1
golang-github-golang-jwt-jwt-v5	source	(unstable)	5.2.2-1

Notes

[bookworm] - golang-github-golang-jwt-jwt <no-dsa> (Minor issue)
https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
Fixed by: https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 (v5.2.2)
Fixed by: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84 (v4.5.2)