Go JOSE: Go JOSE memory exhaustion (CVE-2025-27144) #shorts

Summary

In today's episode, we discuss CVE-2025-27144, a newly discovered denial of service vulnerability found in the Go JOSE library, impacting versions up to 4.0.4. This vulnerability can be exploited via maliciously crafted tokens, leading to excessive memory consumption and potential service disruption.

Product Details

Go JOSE is a Go-based implementation of the Javascript Object Signing and Encryption standards, including JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT). The affected versions are all releases in the 4.x series prior to version 4.0.5.

Vulnerability Type Summary

CVE-2025-27144 is categorized under CWE-770, which is the Allocation of Resources Without Limits or Throttling. This means that the software does not limit the amount of resources that can be consumed, which can lead to Denial of Service conditions when faced with malicious inputs.

Details of the Vulnerability

The vulnerability stems from the way Go JOSE parses compact JWS or JWE inputs, particularly when handling JWT tokens. The use of strings.Split(token, ".") to divide tokens is susceptible to excessive memory use if a token with a large number of `.` characters is processed. This flaw can be exploited by an attacker to cause memory exhaustion and denial of service by sending malformed tokens. Currently, there's no known exploit, but users are advised to upgrade to version 4.0.5 or validate token structure as a workaround.

Conclusion

CVE-2025-27144 is a serious issue for users of the Go JOSE library who are on version 4.x prior to 4.0.5. To protect against potential attacks, affected users should promptly update to the latest version. For further information and downloads, advisories are available on GitHub. Stay informed and keep your software up to date to mitigate security risks.

Watch the full video on YouTube: CVE-2025-27144

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-27144
Description
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Provider
GitHub_M
CWE / problem types
CWE-770: Allocation of Resources Without Limits or Throttling
Affected Software Versions
go-jose:go-jose:[{'version': '>= 4.0.0, < 4.0.5', 'status': 'affected'}]
Date Published
2025-02-24T22:22:22.863Z
Last Updated
2025-02-25T14:27:04.978Z