VDB
RHSA-2025%3A3959
RHSA-2025%3A3959
PUBLISHED
CVSS 9.300000190734863 CRITICAL
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
Risk Scores
CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64, *, * |
| golang.org | x/oauth2/jws | |
| Red Hat | rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64, rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64, rhacm2/volsync-rhel9@sha256:fa18cbf3efd16da8e961ab1077fe5af57aa041f09a38220ae733a2bb5c1ad6d0_amd64 |
| Red Hat | rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le, * |
| Red Hat | rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64, rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64 |
| Red Hat | rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le, rhacm2/volsync-rhel9@sha256:dc85bc3665640b14ba36e221020da1f6681c681005be89923302bc294fd5dfe2_ppc64le |
| Red Hat | rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x, *, rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x |
| Red Hat | rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64, * |
| Red Hat | rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64, rhacm2/volsync-rhel9@sha256:4f4d48d1aec8bca6a2bb1d913c444d8e3aed17fb84c892dc07644baf2b0aa97d_arm64 |
| Red Hat | rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64, rhacm2/volsync-operator-bundle@sha256:f7e36802f5857a4e5300a140f58195a1472b67d69bee85333db63a4229604fee_amd64, * |
| Red Hat | rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x, rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x, rhacm2/volsync-rhel9@sha256:81a293e795d4ded647062667465916cafa23605aa139f4ed56da2fae38dcd3a8_s390x |
Timeline
- Apr 16, 2025 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Jun 18, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:3959 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2348366 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2348367 issue
- https://issues.redhat.com/browse/ACM-19031 advisory
- https://issues.redhat.com/browse/HYPBLD-618 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3959.json advisory
- https://access.redhat.com/security/cve/CVE-2025-22868 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22868 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22868 advisory
- https://go.dev/cl/652155 advisory
- https://go.dev/issue/71490 advisory
- https://pkg.go.dev/vuln/GO-2025-3488 advisory
- https://access.redhat.com/security/cve/CVE-2025-22869 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22869 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22869 advisory
- https://go.dev/cl/652135 advisory
- https://go.dev/issue/71931 advisory
- https://pkg.go.dev/vuln/GO-2025-3487 advisory