/
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-wwh5-2c9f-j8f6

Published

Last updated

https://images.chainguard.dev/security/CGA-wwh5-2c9f-j8f6
Package

argo-cd-2.9

Repository

Chainguard

Latest Update
Under investigation
Aliases
  • GHSA-c6gw-w398-hv78

Severity

Unknown

Summary

DoS in go-jose Parsing

Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs