Summary IBM Watson Speech Services Cartridge is vulnerable to asymmetric resource consumption in golang-jwt, due to a flaw in the , the function parse.ParseUnverified splits [CVE-2025-30204]. Golang-jwt is included as part of our speech utilities. This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability Details CVEID:CVE-2025-30204 DESCRIPTION: golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2. CWE:CWE-405: Asymmetric Resource Consumption (Amplification) CVSS Source: [email protected] CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Watson Speech Services Cartridge | 4.0.0 – 5.1.3 Remediation/Fixes Product(s)| Version(s)| Remediation/Fix/Instructions —|—|— IBM Watson Speech Services Cartridge| 5.2.0| The fix in 5.2.0 applies to all versions listed (4.0.0-5.1.3). Version 5.2.0 can be…Read More