Impact When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Patches Version 4.0.5 fixes this issue Workarounds Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters. References This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue…Read More
GHSA-C6GW-W398-HV78 DoS in go-jose Parsing
