VDB
RHSA-2025%3A7616
RHSA-2025%3A7616
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | odf4/odf-cli-rhel9@sha256:39f7e57099822c1f9254800a5aaacb0c28a7718510445e5e437bb9df6e11cb55_amd64 as a component of RHODF 4.18 for RHEL 9 | odf4/odf-cli-rhel9@sha256:39f7e57099822c1f9254800a5aaacb0c28a7718510445e5e437bb9df6e11cb55_amd64, *, * |
| Red Hat | odf4/mcg-core-rhel9@sha256:498767d6cbd4ad191d5d9e36a0d13710891828ab016d3723e5c88eba74b039f8_s390x as a component of RHODF 4.18 for RHEL 9 | odf4/mcg-core-rhel9@sha256:498767d6cbd4ad191d5d9e36a0d13710891828ab016d3723e5c88eba74b039f8_s390x, odf4/mcg-core-rhel9@sha256:498767d6cbd4ad191d5d9e36a0d13710891828ab016d3723e5c88eba74b039f8_s390x, * |
| Red Hat | odf4/rook-ceph-rhel9-operator@sha256:37b6f0b1f5df6582d27d915f78c6209d663c2153c119efbb6e0a86a2130bb9a5_amd64 as a component of RHODF 4.18 for RHEL 9 | odf4/rook-ceph-rhel9-operator@sha256:37b6f0b1f5df6582d27d915f78c6209d663c2153c119efbb6e0a86a2130bb9a5_amd64, odf4/rook-ceph-rhel9-operator@sha256:37b6f0b1f5df6582d27d915f78c6209d663c2153c119efbb6e0a86a2130bb9a5_amd64, odf4/rook-ceph-rhel9-operator@sha256:37b6f0b1f5df6582d27d915f78c6209d663c2153c119efbb6e0a86a2130bb9a5_amd64 |
| Red Hat | odf4/odr-cluster-operator-bundle@sha256:be0abe9f1da1cd664e78fbb0a730f25063d7d99df002f73835aff338407e3d1c_amd64 as a component of RHODF 4.18 for RHEL 9 | odf4/odr-cluster-operator-bundle@sha256:be0abe9f1da1cd664e78fbb0a730f25063d7d99df002f73835aff338407e3d1c_amd64, *, odf4/odr-cluster-operator-bundle@sha256:be0abe9f1da1cd664e78fbb0a730f25063d7d99df002f73835aff338407e3d1c_amd64 |
| Red Hat | odf4/mcg-operator-bundle@sha256:e6f3079508f74bde0016ab97316c270ec99192447a001ef5dbf9d6b683a0c4e7_ppc64le as a component of RHODF 4.18 for RHEL 9 | odf4/mcg-operator-bundle@sha256:e6f3079508f74bde0016ab97316c270ec99192447a001ef5dbf9d6b683a0c4e7_ppc64le, *, * |
| Red Hat | odf4/rook-ceph-operator-bundle@sha256:7e4daba24e2ac197b975b93d23f2b45384fae54ae779baba4cd993fb9b32f5d9_ppc64le as a component of RHODF 4.18 for RHEL 9 | odf4/rook-ceph-operator-bundle@sha256:7e4daba24e2ac197b975b93d23f2b45384fae54ae779baba4cd993fb9b32f5d9_ppc64le, odf4/rook-ceph-operator-bundle@sha256:7e4daba24e2ac197b975b93d23f2b45384fae54ae779baba4cd993fb9b32f5d9_ppc64le, odf4/rook-ceph-operator-bundle@sha256:7e4daba24e2ac197b975b93d23f2b45384fae54ae779baba4cd993fb9b32f5d9_ppc64le |
| Red Hat | odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x as a component of RHODF 4.18 for RHEL 9 | odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x, odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x, odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x |
| Red Hat | odf4/odr-rhel9-operator@sha256:8d1ac2ec2f347ab1a70044a689f8c8d2449e829021d5dbfe14e8a132c94493a9_ppc64le as a component of RHODF 4.18 for RHEL 9 | odf4/odr-rhel9-operator@sha256:8d1ac2ec2f347ab1a70044a689f8c8d2449e829021d5dbfe14e8a132c94493a9_ppc64le, odf4/odr-rhel9-operator@sha256:8d1ac2ec2f347ab1a70044a689f8c8d2449e829021d5dbfe14e8a132c94493a9_ppc64le, odf4/odr-rhel9-operator@sha256:8d1ac2ec2f347ab1a70044a689f8c8d2449e829021d5dbfe14e8a132c94493a9_ppc64le |
| Red Hat | odf4/cephcsi-rhel9-operator@sha256:48f8800dd95f12cf3e4846646da7b2d4658810ca7e54e711c9e9b738f98b8386_arm64 as a component of RHODF 4.18 for RHEL 9 | *, *, * |
| Red Hat | odf4/cephcsi-rhel9@sha256:fc167c03fcd29f8e1a41ea9f6b4dc5803c4f68d8bfff3cbd983734b227b80f2b_ppc64le as a component of RHODF 4.18 for RHEL 9 | odf4/cephcsi-rhel9@sha256:fc167c03fcd29f8e1a41ea9f6b4dc5803c4f68d8bfff3cbd983734b227b80f2b_ppc64le, odf4/cephcsi-rhel9@sha256:fc167c03fcd29f8e1a41ea9f6b4dc5803c4f68d8bfff3cbd983734b227b80f2b_ppc64le, odf4/cephcsi-rhel9@sha256:fc167c03fcd29f8e1a41ea9f6b4dc5803c4f68d8bfff3cbd983734b227b80f2b_ppc64le |
| Red Hat | odf4/odf-multicluster-console-rhel9@sha256:5d2b843e0e18758831e3839fc8699b32f697535a0755f7d2125e419ebc337f4c_amd64 as a component of RHODF 4.18 for RHEL 9 | *, *, * |
| Red Hat | odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x as a component of RHODF 4.18 for RHEL 9 | odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x, *, odf4/odf-csi-addons-rhel9-operator@sha256:cb7d8a3e134f12b9e2401667e8fe63354d032e3a5399b5edc3d0d4b24049740b_s390x |
| Red Hat | odf4/odf-cosi-sidecar-rhel9@sha256:5e7bc2ef9a3cff605d287d483a583a9883126de60e2d0d67f02d120ac0e4e8d0_s390x as a component of RHODF 4.18 for RHEL 9 | *, odf4/odf-cosi-sidecar-rhel9@sha256:5e7bc2ef9a3cff605d287d483a583a9883126de60e2d0d67f02d120ac0e4e8d0_s390x, odf4/odf-cosi-sidecar-rhel9@sha256:5e7bc2ef9a3cff605d287d483a583a9883126de60e2d0d67f02d120ac0e4e8d0_s390x |
| Red Hat | odf4/odf-console-rhel9@sha256:fe6e48bed591c0970517991307c38a9792c70f2f6ba297a8d0c12e47ec8405d0_amd64 as a component of RHODF 4.18 for RHEL 9 | odf4/odf-console-rhel9@sha256:fe6e48bed591c0970517991307c38a9792c70f2f6ba297a8d0c12e47ec8405d0_amd64, odf4/odf-console-rhel9@sha256:fe6e48bed591c0970517991307c38a9792c70f2f6ba297a8d0c12e47ec8405d0_amd64, odf4/odf-console-rhel9@sha256:fe6e48bed591c0970517991307c38a9792c70f2f6ba297a8d0c12e47ec8405d0_amd64 |
| Red Hat | odf4/cephcsi-operator-bundle@sha256:3136e58c7368b1b9a295cf5773764b8e293d6324bbd05260065bf99daa947b2b_amd64 as a component of RHODF 4.18 for RHEL 9 | *, odf4/cephcsi-operator-bundle@sha256:3136e58c7368b1b9a295cf5773764b8e293d6324bbd05260065bf99daa947b2b_amd64, odf4/cephcsi-operator-bundle@sha256:3136e58c7368b1b9a295cf5773764b8e293d6324bbd05260065bf99daa947b2b_amd64 |
| Red Hat | odf4/cephcsi-rhel9-operator@sha256:48f8800dd95f12cf3e4846646da7b2d4658810ca7e54e711c9e9b738f98b8386_arm64 as a component of RHODF 4.18 for RHEL 9 | *, odf4/cephcsi-rhel9-operator@sha256:48f8800dd95f12cf3e4846646da7b2d4658810ca7e54e711c9e9b738f98b8386_arm64, odf4/cephcsi-rhel9-operator@sha256:48f8800dd95f12cf3e4846646da7b2d4658810ca7e54e711c9e9b738f98b8386_arm64 |
| Red Hat | odf4/rook-ceph-rhel9-operator@sha256:4dbf5b50fa735c19ab27b1ae7f794f4cd311eb4c3f7581a661e1d4bd00b1159a_s390x as a component of RHODF 4.18 for RHEL 9 | *, *, * |
| Red Hat | odf4/odf-multicluster-rhel9-operator@sha256:7c266e633c5a236ea81da8155ae1772068bf5c13de17d0b7e780db7d483b6a0a_arm64 as a component of RHODF 4.18 for RHEL 9 | odf4/odf-multicluster-rhel9-operator@sha256:7c266e633c5a236ea81da8155ae1772068bf5c13de17d0b7e780db7d483b6a0a_arm64, odf4/odf-multicluster-rhel9-operator@sha256:7c266e633c5a236ea81da8155ae1772068bf5c13de17d0b7e780db7d483b6a0a_arm64, odf4/odf-multicluster-rhel9-operator@sha256:7c266e633c5a236ea81da8155ae1772068bf5c13de17d0b7e780db7d483b6a0a_arm64 |
| Red Hat | odf4/ocs-metrics-exporter-rhel9@sha256:3f5ef231d093201e521f77707aeeba3168ed925c03c9c5e91d4a00d84141c3bd_amd64 as a component of RHODF 4.18 for RHEL 9 | *, odf4/ocs-metrics-exporter-rhel9@sha256:3f5ef231d093201e521f77707aeeba3168ed925c03c9c5e91d4a00d84141c3bd_amd64, odf4/ocs-metrics-exporter-rhel9@sha256:3f5ef231d093201e521f77707aeeba3168ed925c03c9c5e91d4a00d84141c3bd_amd64 |
| Red Hat | odf4/odr-recipe-operator-bundle@sha256:f40b72bcc1b662ea6637db9c67c2941536c6a73e82a9cde60745ac4065a87d06_ppc64le as a component of RHODF 4.18 for RHEL 9 | odf4/odr-recipe-operator-bundle@sha256:f40b72bcc1b662ea6637db9c67c2941536c6a73e82a9cde60745ac4065a87d06_ppc64le, *, * |
…and 198 more
Timeline
- May 14, 2025 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Jun 18, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:7616 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2348366 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2351766 issue
- https://issues.redhat.com/browse/DFBUGS-1677 advisory
- https://issues.redhat.com/browse/DFBUGS-2330 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_7616.json advisory
- https://access.redhat.com/security/cve/CVE-2025-22868 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22868 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22868 advisory
- https://go.dev/cl/652155 advisory
- https://go.dev/issue/71490 advisory
- https://pkg.go.dev/vuln/GO-2025-3488 advisory
- https://access.redhat.com/security/cve/CVE-2025-22870 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22870 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22870 advisory
- https://go.dev/cl/654697 advisory
- https://go.dev/issue/71984 advisory
- https://pkg.go.dev/vuln/GO-2025-3503 advisory