CVE-2025-22868

Aliases:GHSA-6v2p-p543-phr9GO-2025-3488

Advisory lineage Upstream: 0 Downstream: 55

Downstream

DEBIAN-CVE-2025-22868 OPENSUSE-SU-2025:0091-1 OPENSUSE-SU-2025:0103-1 OPENSUSE-SU-2025:14839-1 OPENSUSE-SU-2025:14843-1 OPENSUSE-SU-2025:14868-1

Analyzed

Published: 26 Feb 2025, 03:07

Last modified:26 Feb 2025, 14:46

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.13% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

26 Feb 2025, 03:07

Published

Vulnerability first disclosed

26 Feb 2025, 14:46

Last Modified

Vulnerability information updated

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.13%• Percentile: 31%

Techniques & Countermeasures

CWE-1286•Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Affected Systems

go•jws
< 0.27.0
golang.org/x•oauth2
< 0.27.0
golang.org/x/oauth2•golang.org/x/oauth2/jws
< 0.27.0