/
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-7qx6-qpqv-j52c

Published

Last updated

https://images.chainguard.dev/security/CGA-7qx6-qpqv-j52c
Package

istio-fips-1.21

Repository

Chainguard

Latest Update
Fixed
Fixed Version

1.21.6-r6

Aliases
  • CVE-2025-27144
  • GHSA-c6gw-w398-hv78

Summary

DoS in go-jose Parsing

Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation