CVE-2025-27144 Go JOSE's Parsing Vulnerable to Denial of Service

🗓️ 24 Feb 2025 22:22:22Reported by GoogleType

osv

osv🔗 osv.dev👁 10 Views

Go JOSE versions before 4.0.5 have excessive memory use from malicious JWT tokens, fixed in 4.0.5.

Reporter	Title	Published	Views	Family All 656
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates	26 Mar 202518:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Fusion Data Foundation is vulnerable to CVE-2025-27144 in different components	25 Jun 202516:28	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion	19 Dec 202520:44	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation	27 Apr 202610:31	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to libxml2, Go JOSE and FreeType	1 May 202515:16	–	ibm
Tenable Nessus	Amazon Linux 2023 : runfinch-finch (ALAS2023-2025-914)	1 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2025-930)	14 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2025-931)	14 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nerdctl (ALAS-2025-2821)	17 Apr 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : runfinch-finch (ALASDOCKER-2025-053)	1 Apr 202500:00	–	nessus

Source	Link
github	www.github.com/go-jose/go-jose/releases/tag/v4.0.5
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27144.json
github	www.github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-27144
github	www.github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22

29 May 2026 18:29Current

6.6Medium risk

Vulners AI Score6.6

CVSS 48.7

EPSS0.00369

go jose memory exhaustion json web signature json web encryption denial of service security update.