/
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-35h7-wx3q-c3g2

Published

Last updated

https://images.chainguard.dev/security/CGA-35h7-wx3q-c3g2
Package

dapr-1.13

Repository

Chainguard

Latest Update
Pending upstream fix
Aliases
  • CVE-2025-30204
  • GHSA-mh63-6h87-95cp

Severity

Unknown

Summary

jwt-go allows excessive memory allocation during header parsing

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation