fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security] (release-1.15)

[phisco-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golang-jwt/jwt/v5	v5.2.0 → v5.2.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204 / GHSA-mh63-6h87-95cp

More information

Details

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
• https://security.netapp.com/advisory/ntap-20250404-0002
• https://github.com/advisories/GHSA-mh63-6h87-95cp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553

More information

Details

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
• https://github.com/golang-jwt/jwt
• https://security.netapp.com/advisory/ntap-20250404-0002

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553

More information

Details

Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

Severity

Unknown

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in #​382
• build: add go1.22 to ci workflows by @​mfridman in #​383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in #​387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in #​389
• chore: bump ci tests to include go1.23 by @​mfridman in #​405
• Fix jwt -show by @​AlexanderYastrebov in #​406
• docs: typo by @​kvii in #​407
• Update SECURITY.md by @​oxisto in #​416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in #​425

New Contributors

• @​Ashikpaul made their first contribution in #​382
• @​kvii made their first contribution in #​407
• @​mattt made their first contribution in #​425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

v5.2.1

Compare Source

What's Changed

• chore: remove unnecessary conversions from tests by @​estensen in #​370
• Trivial: Typo fix for ECDSA error message by @​tjs-cinemo in #​373
• Fix incorrect error return by @​ss49919201 in #​371

New Contributors

• @​tjs-cinemo made their first contribution in #​373
• @​ss49919201 made their first contribution in #​371

Full Changelog: golang-jwt/jwt@v5.2.0...v5.2.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[phisco-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.mod

Command failed: install-tool golang $(grep -oP ^toolchain go\K.+ go.mod)