/
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-4r5g-2469-4w9j

Published

Last updated

https://images.chainguard.dev/security/CGA-4r5g-2469-4w9j
Package

gitlab-runner-17.3

RepositoryWolfi
Latest Update
Under investigation
Aliases
  • GHSA-c6gw-w398-hv78

Severity

Unknown

Summary

DoS in go-jose Parsing

Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs