CVE-2025-27144: 
Packer vulnerability analysis and mitigation

Go JOSE, an implementation of Javascript Object Signing and Encryption standards in Go, disclosed a vulnerability (CVE-2025-27144) on February 24, 2025. The vulnerability affects versions on the 4.x branch prior to version 4.0.5, where the code used for parsing compact JWS or JWE input could lead to excessive memory consumption (NVD, GitHub Advisory).

The vulnerability stems from the use of strings.Split(token, ".") to split JWT tokens without proper bounds checking. When processing maliciously crafted tokens containing a large number of '.' characters, the parsing operation could consume excessive memory. The issue has been assigned a CVSS v4.0 score of 6.6 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U and is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) (Red Hat).

An attacker could exploit this vulnerability by sending numerous malformed tokens with excessive '.' characters, leading to memory exhaustion and ultimately causing a Denial of Service condition in the affected application (GitHub Advisory).

The vulnerability has been fixed in version 4.0.5 of Go JOSE. As a workaround for systems that cannot immediately update, applications can pre-validate that payloads passed to Go JOSE do not contain an excessive number of '.' characters (GitHub Release, GitHub Commit).