CVE-2025-27144 Overview
Go JOSE, a widely-used Go implementation of the Javascript Object Signing and Encryption (JOSE) standards, contains a memory exhaustion vulnerability in versions 4.x prior to 4.0.5. The vulnerability exists in the JWT token parsing logic, where the use of strings.Split(token, ".") allows malicious actors to craft tokens with an excessive number of . characters, leading to uncontrolled memory allocation. This can be exploited to cause Denial of Service conditions in applications that process untrusted JWT, JWE, or JWS tokens.
Critical Impact
Attackers can exploit this vulnerability remotely without authentication to exhaust server memory by sending malformed tokens with numerous period characters, resulting in service unavailability.
Affected Products
- Go JOSE versions 4.x prior to 4.0.5
- Applications using Go JOSE for JWT/JWE/JWS parsing
Discovery Timeline
- 2025-02-24 - CVE CVE-2025-27144 published to NVD
- 2025-02-24 - Last updated in NVD database
Technical Details for CVE-2025-27144
Vulnerability Analysis
This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) stems from improper handling of token parsing in the Go JOSE library. When processing compact JWS or JWE input, the library uses the Go standard library function strings.Split() to tokenize JWT strings by the period (.) delimiter. The strings.Split() function allocates memory proportional to the number of resulting substrings, without imposing any upper bound on the number of segments.
An attacker can craft a malicious token containing thousands or millions of period characters, causing the library to allocate an enormous array of string slices. When multiple such requests are sent concurrently, the cumulative memory consumption can exhaust available system resources, leading to application crashes or system-wide memory pressure.
Root Cause
The root cause is the unbounded use of strings.Split(token, ".") for parsing JWT tokens without validating the number of resulting segments beforehand. Valid JWT tokens contain exactly 3 parts (header, payload, signature) separated by 2 periods. The vulnerable code does not pre-validate this constraint, allowing arbitrarily large allocations when processing malicious input.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can send HTTP requests containing maliciously crafted JWT tokens to any endpoint that processes authentication tokens using the vulnerable Go JOSE library. The attack mechanism involves:
- Crafting a token string with an excessive number of period characters (e.g., millions of . characters)
- Sending multiple concurrent requests with these malformed tokens to the target application
- The library attempts to split each token, allocating memory for each segment between periods
- Repeated requests rapidly consume available memory, causing denial of service
The vulnerability is particularly dangerous in authentication endpoints, API gateways, and microservices that validate JWTs for every incoming request.
Detection Methods for CVE-2025-27144
Indicators of Compromise
- Unusual spikes in memory consumption on servers processing JWT tokens
- Application crashes or out-of-memory (OOM) errors correlating with authentication requests
- Log entries showing malformed or unusually long JWT tokens being submitted
- Network traffic containing HTTP requests with abnormally large Authorization headers
Detection Strategies
- Monitor application memory usage patterns and alert on sudden increases
- Implement request size limits at the load balancer or WAF level
- Log and analyze JWT token lengths before processing
- Use application performance monitoring (APM) tools to correlate memory spikes with specific endpoints
Monitoring Recommendations
- Configure memory usage alerts with thresholds appropriate for your environment
- Enable detailed logging for authentication/token validation endpoints
- Monitor for patterns of repeated failed authentication attempts with oversized payloads
- Implement rate limiting on endpoints that process JWT tokens
How to Mitigate CVE-2025-27144
Immediate Actions Required
- Upgrade Go JOSE to version 4.0.5 or later immediately
- Audit applications to identify all instances of Go JOSE library usage
- Implement input validation to reject tokens with excessive period characters
- Configure WAF rules to block requests with abnormally large authentication tokens
Patch Information
The vulnerability has been addressed in Go JOSE version 4.0.5. The fix implements proper bounds checking before token splitting operations. The patch is available via the GitHub Release v4.0.5. The specific commit addressing this vulnerability can be reviewed at GitHub Commit Update. For additional details, see the GitHub Security Advisory GHSA-c6gw-w398-hv78.
Workarounds
- Pre-validate incoming tokens to ensure they contain no more than 4 period characters before passing to Go JOSE
- Implement application-level input size limits on JWT tokens (typical valid JWTs are under 8KB)
- Add middleware that counts period characters and rejects tokens exceeding a reasonable threshold
- Deploy request size limits at the reverse proxy or API gateway layer
# Example: Pre-validate JWT token period count before processing
# Add validation in your application code to count periods:
# if strings.Count(token, ".") > 4 { reject request }
# For nginx, limit request header size to prevent oversized tokens:
# In nginx.conf:
# large_client_header_buffers 4 8k;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
