Skip to main content
Testkube 2.6.0 is out! A new AI Agent Framework that integrates with external MCP Servers for agentic troubleshooting, remediation, etc. Read More

testkube-enterprise-worker-service-2.6.3_linux_amd64

digestsha256:56864f66316e0e51237b60aa3d147bc24d51da9e28a672e5363c17fc67092a8c
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
platformlinux/amd64
size56 MB
packages388
critical: 0 high: 0 medium: 1 low: 0 github.com/go-jose/go-jose 2.6.3+incompatible (golang)

pkg:golang/github.com/go-jose/go-jose@2.6.3%2Bincompatible
medium 6.9: CVE--2025--27144 Uncontrolled Resource Consumption

Affected range<3.0.4
Fixed version3.0.4
CVSS Score6.9
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score0.078%
EPSS Percentile23rd percentile
Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.