The vulnerability of the parse.ParseUnverified() function in the golang-jwt library for handling web tokens allows attackers to disclose sensitive information that should be protected.

The vulnerability of the parse.ParseUnverified function in the golang-jwt library for handling web tokens in the Go programming language is related to uncontrolled resource consumption. Exploiting this vulnerability allows an attacker to disclose protected information...

Important: runfinch-finch

Issue Overview: golang-jwt is a Go implementation of JSON Web Tokens. Prior to 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose Authorization header consist...

SUSE CVE-2025-30204

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-59233 CVE-2025-30204 affecting package cert-manager for versions less than 1.11.2-21

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-77511 CVE-2025-30204 affecting package jx for versions less than 3.2.236-25

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-77535 CVE-2025-30204 affecting package rook 1.6.2-27

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-59169 CVE-2025-30204 affecting package azcopy for versions less than 10.25.1-3

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-59209 CVE-2025-30204 affecting package azcopy for versions less than 10.25.1-5

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-59235 CVE-2025-30204 affecting package telegraf for versions less than 1.29.4-13

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...

AZL-59162 CVE-2025-30204 affecting package prometheus for versions less than 2.45.4-10

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request whose...