VDB

RHSA-2025%3A3172

RHSA-2025%3A3172 PUBLISHED CVSS 7.5 HIGH

A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Red Hatrhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9*, *, *
Red Hatrhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le, rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le, rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le
Red Hatrhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64, rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64, rhacm2/volsync-rhel9@sha256:66a98747656507d0b1dd379c8347ae2a738848998cec182716009d0a62a01b72_arm64
Red Hatrhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64, *, *
Red Hatrhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x, *, *
Red Hatrhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x, rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x, rhacm2/volsync-rhel9@sha256:7208a20dea4ee2c543dd6719493000fcc4b5a00d52a3d076decfee0d00c01c13_s390x
Red Hatrhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64, rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64, rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64
Red Hatrhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64, *, rhacm2/volsync-rhel9@sha256:ab0e5a22a273e298802437e3b4d083c8cfc55da6c23a43d7c840b740248bf110_amd64
golangoauth2
Red Hatrhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-operator-bundle@sha256:472aeeb4b0c06a3676d4e509de1648c88ef640490817e0ea2af8c9ee39660515_amd64, *, *
Red Hatrhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9rhacm2/volsync-rhel9@sha256:a6d4413161a9a15d7dafee13f132d1d6ebb5fc82d32876b8bbe055733d12a283_ppc64le, *, *

Timeline

  • Mar 25, 2025 CVE Published
  • Apr 24, 2026 Distribution Patch
  • Apr 24, 2026 Distribution Patch
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • Apr 24, 2026 Security Advisory
  • Jun 18, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›