Skip to content

security: CVE-2025-27144 mitigation for v2.3.1 #344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 20, 2025
Merged

security: CVE-2025-27144 mitigation for v2.3.1 #344

merged 2 commits into from
Nov 20, 2025

Conversation

@developerkunal
Copy link
Contributor

@developerkunal developerkunal commented Nov 19, 2025

📝 Checklist

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

🔧 Changes

This PR adds mitigation for CVE-2025-27144, a high-severity DoS vulnerability in go-jose v2.

What's changed:

  • Added input validation to reject malicious tokens before parsing
  • Tokens with >5 dots are now rejected (protects against memory exhaustion)
  • Added 1MB token size limit
  • Updated Go to 1.24.0 and golang.org/x/crypto to v0.44.0

New files:

  • validator/security.go - validation logic
  • validator/security_test.go - security tests (all passing)

This is a defense-in-depth measure. The complete fix will be in v3 with the migration to lestrrat-go/jwx.

📚 References

🔬 Testing

All tests pass including new security tests:

  • Valid tokens (2-5 dots) are accepted
  • Malicious tokens (6+ dots) are rejected
  • Tokens >1MB are rejected
  • No breaking changes to existing functionality

@developerkunal
security: Add CVE-2025-27144 mitigation
38f6e92 
- Add input validation to reject tokens with excessive dots (>5)
- Add token size limit (1MB) to prevent memory exhaustion
- Protect against DoS attack via malicious JWT tokens
- Update Go to 1.24.0 with toolchain 1.24.8
- Update golang.org/x/crypto to v0.44.0
- Add comprehensive security tests (all passing)

CVE-2025-27144 (CVSS 7.5 HIGH) - Defense-in-depth mitigation
@developerkunal developerkunal requested a review from a team as a code owner November 19, 2025 16:54
@codecov-commenter
Copy link

codecov-commenter commented Nov 19, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.13%. Comparing base (5357b45) to head (0613b05).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #344      +/-   ##
==========================================
+ Coverage   96.66%   97.13%   +0.46%     
==========================================
  Files           8        9       +1     
  Lines         390      314      -76     
==========================================
- Hits          377      305      -72     
+ Misses         10        6       -4     
  Partials        3        3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@developerkunal developerkunal mentioned this pull request Nov 19, 2025
Open
6 tasks
@developerkunal
ci: migrate to official golang/govulncheck-action
0613b05 
Replace Templum/govulncheck-action with official golang/govulncheck-action@1.0.4
@developerkunal developerkunal changed the title security: CVE-2025-27144 mitigation for v2.4.0 security: CVE-2025-27144 mitigation for v2.3.1 Nov 19, 2025
@developerkunal developerkunal merged commit 283dc45 into master Nov 20, 2025
7 checks passed
@developerkunal developerkunal deleted the security/cve-2025-27144-mitigation branch November 20, 2025 05:58
This was referenced Nov 20, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duedares-rvj duedares-rvj duedares-rvj approved these changes

+1 more reviewer

@ashwinkumar01 ashwinkumar01 ashwinkumar01 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@developerkunal @codecov-commenter @ashwinkumar01 @duedares-rvj