VDB
RHSA-2025%3A9541
RHSA-2025%3A9541
PUBLISHED
CVSS 7.5 HIGH
A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, ".")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhacm2/lighthouse-agent-rhel9@sha256:253bf5d0c941f36f3e1a404502707e642afa7e8697429e38fc00a24363cabe54_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/lighthouse-agent-rhel9@sha256:253bf5d0c941f36f3e1a404502707e642afa7e8697429e38fc00a24363cabe54_arm64, rhacm2/lighthouse-agent-rhel9@sha256:253bf5d0c941f36f3e1a404502707e642afa7e8697429e38fc00a24363cabe54_arm64, * |
| Red Hat | rhacm2/submariner-globalnet-rhel9@sha256:2ed8cf8929c729e2f8e84c12a13403212b8b925088688a3961ccd6398e172eb6_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/submariner-globalnet-rhel9@sha256:2ed8cf8929c729e2f8e84c12a13403212b8b925088688a3961ccd6398e172eb6_amd64, rhacm2/submariner-globalnet-rhel9@sha256:2ed8cf8929c729e2f8e84c12a13403212b8b925088688a3961ccd6398e172eb6_amd64 |
| Red Hat | rhacm2/submariner-gateway-rhel9@sha256:22330a1398cb9f2507baf7992800c8e2b75d8a7383fe983e95a78c9cc856cd69_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-gateway-rhel9@sha256:22330a1398cb9f2507baf7992800c8e2b75d8a7383fe983e95a78c9cc856cd69_s390x, rhacm2/submariner-gateway-rhel9@sha256:22330a1398cb9f2507baf7992800c8e2b75d8a7383fe983e95a78c9cc856cd69_s390x, rhacm2/submariner-gateway-rhel9@sha256:22330a1398cb9f2507baf7992800c8e2b75d8a7383fe983e95a78c9cc856cd69_s390x |
| Red Hat | rhacm2/submariner-route-agent-rhel9@sha256:207eac9f5010090ca44651606d12f1c8fc7753301d473d37c43d52c3fa57450d_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/submariner-route-agent-rhel9@sha256:207eac9f5010090ca44651606d12f1c8fc7753301d473d37c43d52c3fa57450d_ppc64le, rhacm2/submariner-route-agent-rhel9@sha256:207eac9f5010090ca44651606d12f1c8fc7753301d473d37c43d52c3fa57450d_ppc64le |
| Red Hat | rhacm2/submariner-globalnet-rhel9@sha256:2ed8cf8929c729e2f8e84c12a13403212b8b925088688a3961ccd6398e172eb6_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-globalnet-rhel9@sha256:2ed8cf8929c729e2f8e84c12a13403212b8b925088688a3961ccd6398e172eb6_amd64, *, * |
| Red Hat | rhacm2/lighthouse-agent-rhel9@sha256:8f22385b2571331ce6d0577a296d1de34a17b7467ce5e93808ac67f51c36319f_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/lighthouse-agent-rhel9@sha256:8f22385b2571331ce6d0577a296d1de34a17b7467ce5e93808ac67f51c36319f_ppc64le, *, rhacm2/lighthouse-agent-rhel9@sha256:8f22385b2571331ce6d0577a296d1de34a17b7467ce5e93808ac67f51c36319f_ppc64le |
| Red Hat | rhacm2/submariner-route-agent-rhel9@sha256:396ae805aea13296b42214b4632104396d3ac05a7a540636928eae7ff0cb8231_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-route-agent-rhel9@sha256:396ae805aea13296b42214b4632104396d3ac05a7a540636928eae7ff0cb8231_arm64, *, * |
| Red Hat | rhacm2/lighthouse-agent-rhel9@sha256:09d7c636408b1ac86e063085f53b50b8c29578693f4bdd908f4e841b76d42946_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/lighthouse-agent-rhel9@sha256:09d7c636408b1ac86e063085f53b50b8c29578693f4bdd908f4e841b76d42946_s390x, *, * |
| Red Hat | rhacm2/submariner-globalnet-rhel9@sha256:da29d598738eb7c181eb78c2383f33b8a35379fe5d3e275ff8d1ba01d9d37b69_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, *, rhacm2/submariner-globalnet-rhel9@sha256:da29d598738eb7c181eb78c2383f33b8a35379fe5d3e275ff8d1ba01d9d37b69_s390x |
| Red Hat | rhacm2/lighthouse-coredns-rhel9@sha256:269ec218b3d32c46d89ac7c852cb09b59f24955b00d240694bfc989c889c5b35_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/lighthouse-coredns-rhel9@sha256:269ec218b3d32c46d89ac7c852cb09b59f24955b00d240694bfc989c889c5b35_s390x, rhacm2/lighthouse-coredns-rhel9@sha256:269ec218b3d32c46d89ac7c852cb09b59f24955b00d240694bfc989c889c5b35_s390x, rhacm2/lighthouse-coredns-rhel9@sha256:269ec218b3d32c46d89ac7c852cb09b59f24955b00d240694bfc989c889c5b35_s390x |
| Red Hat | rhacm2/submariner-globalnet-rhel9@sha256:1915bc542011a4841e0bfab92576e897c952ecfd703e78e0e81920bd6904a745_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-globalnet-rhel9@sha256:1915bc542011a4841e0bfab92576e897c952ecfd703e78e0e81920bd6904a745_ppc64le, rhacm2/submariner-globalnet-rhel9@sha256:1915bc542011a4841e0bfab92576e897c952ecfd703e78e0e81920bd6904a745_ppc64le, * |
| Red Hat | rhacm2/submariner-gateway-rhel9@sha256:77b375c72aa1544af753acce5c1d6f45f615ec1e0bed1f0f48508d9d590f1963_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-gateway-rhel9@sha256:77b375c72aa1544af753acce5c1d6f45f615ec1e0bed1f0f48508d9d590f1963_ppc64le, *, * |
| Red Hat | rhacm2/submariner-operator-bundle@sha256:2a9c8ac2535cd9686d245fae90fffb8b3424018a941a85fd5d4bcb19f8876736_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-operator-bundle@sha256:2a9c8ac2535cd9686d245fae90fffb8b3424018a941a85fd5d4bcb19f8876736_s390x, *, * |
| Red Hat | rhacm2/subctl-rhel9@sha256:c8987ca5f30462c04c29604157ca2ec443a1a2aa58837b62ce2a409be905dbc1_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, *, rhacm2/subctl-rhel9@sha256:c8987ca5f30462c04c29604157ca2ec443a1a2aa58837b62ce2a409be905dbc1_amd64 |
| Red Hat | rhacm2/submariner-rhel9-operator@sha256:667a0f7ea6e85c371b1f082be6d15b2c651f8648cdd76d178b129699e8ac4b49_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-rhel9-operator@sha256:667a0f7ea6e85c371b1f082be6d15b2c651f8648cdd76d178b129699e8ac4b49_arm64, rhacm2/submariner-rhel9-operator@sha256:667a0f7ea6e85c371b1f082be6d15b2c651f8648cdd76d178b129699e8ac4b49_arm64, rhacm2/submariner-rhel9-operator@sha256:667a0f7ea6e85c371b1f082be6d15b2c651f8648cdd76d178b129699e8ac4b49_arm64 |
| Red Hat | rhacm2/submariner-rhel9-operator@sha256:5d2006edf7770901672de933f95d247dc036b314c5d07c692f3beca45ead3091_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/submariner-rhel9-operator@sha256:5d2006edf7770901672de933f95d247dc036b314c5d07c692f3beca45ead3091_s390x, rhacm2/submariner-rhel9-operator@sha256:5d2006edf7770901672de933f95d247dc036b314c5d07c692f3beca45ead3091_s390x |
| Red Hat | rhacm2/submariner-globalnet-rhel9@sha256:c6ae49c2b32ad3dc7ee8835f10a4200420744cd4b0e0163b4244c168169db6d7_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-globalnet-rhel9@sha256:c6ae49c2b32ad3dc7ee8835f10a4200420744cd4b0e0163b4244c168169db6d7_arm64, rhacm2/submariner-globalnet-rhel9@sha256:c6ae49c2b32ad3dc7ee8835f10a4200420744cd4b0e0163b4244c168169db6d7_arm64, rhacm2/submariner-globalnet-rhel9@sha256:c6ae49c2b32ad3dc7ee8835f10a4200420744cd4b0e0163b4244c168169db6d7_arm64 |
| Red Hat | rhacm2/lighthouse-agent-rhel9@sha256:8f22385b2571331ce6d0577a296d1de34a17b7467ce5e93808ac67f51c36319f_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/lighthouse-agent-rhel9@sha256:8f22385b2571331ce6d0577a296d1de34a17b7467ce5e93808ac67f51c36319f_ppc64le, rhacm2/lighthouse-agent-rhel9@sha256:8f22385b2571331ce6d0577a296d1de34a17b7467ce5e93808ac67f51c36319f_ppc64le, * |
| Red Hat | rhacm2/lighthouse-agent-rhel9@sha256:09d7c636408b1ac86e063085f53b50b8c29578693f4bdd908f4e841b76d42946_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/lighthouse-agent-rhel9@sha256:09d7c636408b1ac86e063085f53b50b8c29578693f4bdd908f4e841b76d42946_s390x, rhacm2/lighthouse-agent-rhel9@sha256:09d7c636408b1ac86e063085f53b50b8c29578693f4bdd908f4e841b76d42946_s390x, rhacm2/lighthouse-agent-rhel9@sha256:09d7c636408b1ac86e063085f53b50b8c29578693f4bdd908f4e841b76d42946_s390x |
| Red Hat | rhacm2/submariner-operator-bundle@sha256:2a9c8ac2535cd9686d245fae90fffb8b3424018a941a85fd5d4bcb19f8876736_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/submariner-operator-bundle@sha256:2a9c8ac2535cd9686d245fae90fffb8b3424018a941a85fd5d4bcb19f8876736_s390x, rhacm2/submariner-operator-bundle@sha256:2a9c8ac2535cd9686d245fae90fffb8b3424018a941a85fd5d4bcb19f8876736_s390x, rhacm2/submariner-operator-bundle@sha256:2a9c8ac2535cd9686d245fae90fffb8b3424018a941a85fd5d4bcb19f8876736_s390x |
…and 55 more
Timeline
- Jun 24, 2025 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Jun 18, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:9541 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2348366 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2354195 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_9541.json advisory
- https://access.redhat.com/security/cve/CVE-2025-22868 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-22868 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-22868 advisory
- https://go.dev/cl/652155 advisory
- https://go.dev/issue/71490 advisory
- https://pkg.go.dev/vuln/GO-2025-3488 advisory
- https://access.redhat.com/security/cve/CVE-2025-30204 advisory
- https://www.cve.org/CVERecord?id=CVE-2025-30204 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-30204 advisory
- https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 advisory
- https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp advisory
- https://pkg.go.dev/vuln/GO-2025-3553 advisory