Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:golang/github.com/golang-jwt/jwt/v5@5.2.2
purl pkg:golang/github.com/golang-jwt/jwt/v5@5.2.2
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-s5gr-zsbz-xkbe jwt-go allows excessive memory allocation during header parsing ### Summary Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose _Authorization_ header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html) ### Details See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) ### Impact Excessive memory allocation CVE-2025-30204
GHSA-mh63-6h87-95cp

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T12:56:09.455521+00:00 GithubOSV Importer Fixing VCID-s5gr-zsbz-xkbe https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-mh63-6h87-95cp/GHSA-mh63-6h87-95cp.json 38.0.0