-
Type:
Vulnerability
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Tools and Replicator
-
master
Priority from VULN: High
This is a copy of the linked VULN ticket issue. You only need to update this ticket and the VULN ticket will be synced accordingly.
Vulnerability Details
The following vulnerabilities were found in the third party component pkg:golang/github.com/golang-jwt/jwt/v5@v5.2.1 used in the repo: https://github.com/mongodb/mongo-tools:
CVE | Severity | CVSS | Fixed Version(s) |
CVE-2025-30204 | High | 7.5 | github.com/golang-jwt/jwt/v5:4.5.2, github.com/golang-jwt/jwt/v5:5.2.2 |
You are responsible for fixing it by and ensuring the fix is released, if required, by the relevant Due Date.
- A new release is required if the finding is on a stable branch that customers may be using. Stable branches refer to any branch excluding main or master, for products that do not trigger releases directly from main or master branches.
How do I fix this?
You need to update the package to a version that does not contain the vulnerability. Please reference the Fixed Version(s) column above for options. If there are multiple CVEs, updating to the latest fixed version that addresses all CVEs is recommended.If you are still unable to find a fixed version or need additional assistance, please reach out in the #secure-sdlc-program channel.
References:
- https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
- https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
- https://github.com/golang-jwt/jwt
Tool Description: ### Summary
Function [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) its argument (which is untrusted data) on periods.
As a result, in the face of a malicious request whose Authorization header consists of `Bearer ` followed by many period characters, a call to that function incurs allocations to the tune of O bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)
-
-
- Details
-
See [`parse.ParseUnverified`](https://github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)
-
-
- Impact
-
Excessive memory allocation
🔥 Please see go/vuln-flow for detailed guidance.
- is depended on by
-
TOOLS-3714 Release Database Tools 100.12.0
-
- Closed
-