VDB
RHSA-2025%3A3053
RHSA-2025%3A3053
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le, gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le, gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le |
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64, gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64, gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64 |
| Red Hat | gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64 as a component of gatekeeper 3.15 for RHEL 9 | *, gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64, gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64 |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64, *, gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64 |
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64 as a component of gatekeeper 3.15 for RHEL 9 | *, *, gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64 |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x, gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x, * |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64, *, gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64 |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le, *, * |
| golang | ||
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64, gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64, gatekeeper/gatekeeper-rhel9@sha256:2861cb1f2dec29a50a1b920768f8c7d463c7917b4267cb62813f7378972ecd63_amd64 |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64, gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64, gatekeeper/gatekeeper-rhel9-operator@sha256:f287794acade33527da37fa3d6d872753231ac40546bdadf577ea4c3eb3a9347_arm64 |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x, gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x, gatekeeper/gatekeeper-rhel9-operator@sha256:d4cb7893bc7ddf352e9ee37f97461c798002cc79e1eea8706944f94f6b07a460_s390x |
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x, gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x, gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x |
| Red Hat | gatekeeper/gatekeeper-operator-bundle@sha256:96b77663961daea3a336b97e34e9412281bfb2727854dc970a69edd029b9af85_amd64 as a component of gatekeeper 3.15 for RHEL 9 | *, *, * |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64, gatekeeper/gatekeeper-rhel9-operator@sha256:e8e33ff4369c91bbf63c4c81979e0231ff247f3b0ab7a2872c0918a5455a1a2d_amd64, * |
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x, gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x, gatekeeper/gatekeeper-rhel9@sha256:b893c6fd9d1414efd34c51fdc08795c9ddf5e73053c5cc1b742eea04c6a1d4bf_s390x |
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64 as a component of gatekeeper 3.15 for RHEL 9 | gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64, gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64, gatekeeper/gatekeeper-rhel9@sha256:9530577a1ddbc3fd1cc27fa9bf25220a4437f20817d85974a3066fd3d4229d94_arm64 |
| Red Hat | gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le as a component of gatekeeper 3.15 for RHEL 9 | *, gatekeeper/gatekeeper-rhel9-operator@sha256:f59983c70575e23e7e0e04422a0db15f99d8943c9246878044b205e871934635_ppc64le, * |
| Red Hat | gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le as a component of gatekeeper 3.15 for RHEL 9 | *, gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le, gatekeeper/gatekeeper-rhel9@sha256:c0130d50528c55aa6819f7b722ad39bb583f1b8b961c47e32a8561d34440883c_ppc64le |
Timeline
- Mar 20, 2025 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Jun 18, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:3053 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.0 advisory
- https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.15.1 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2348366 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2348367 issue
- https://issues.redhat.com/browse/ACM-18305 advisory
- https://issues.redhat.com/browse/ACM-18536 advisory
- https://issues.redhat.com/browse/HYPBLD-606 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3053.json advisory
- https://access.redhat.com/security/cve/CVE-2025-22868 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22868 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22868 advisory
- https://go.dev/cl/652155 advisory
- https://go.dev/issue/71490 advisory
- https://pkg.go.dev/vuln/GO-2025-3488 advisory
- https://access.redhat.com/security/cve/CVE-2025-22869 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22869 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22869 advisory
- https://go.dev/cl/652135 advisory
…and 2 more