CVE-2025-30204

一、漏洞信息
 漏洞编号：[CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204)
 漏洞归属组件：[python-jwt](https://gitee.com/src-openeuler/python-jwt)
 漏洞归属的版本：1.7.1,2.0.0,2.0.1,2.3.0,2.5.0,2.6.0,2.7.0,2.8.0,2.9.0
 CVSS V3.0分值：
  BaseScore：7.5 High
  Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer  followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
 漏洞公开时间：2025-03-22 06:15:26
 漏洞创建时间：2025-03-22 07:03:12
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2025-30204
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| security-advisories.github.com | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 |  |
| security-advisories.github.com | https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb |  |
| security-advisories.github.com | https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp |  |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20250404-0002/ |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-30204 | https://bugzilla.suse.com/show_bug.cgi?id=1240441 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2025-30204 | https://bugzilla.suse.com/show_bug.cgi?id=1240441 |
| suse_bugzilla | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 | https://bugzilla.suse.com/show_bug.cgi?id=1240441 |
| suse_bugzilla | https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp | https://bugzilla.suse.com/show_bug.cgi?id=1240441 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 | https://bugzilla.suse.com/show_bug.cgi?id=1240441 |
| suse_bugzilla | https://github.com/CVEProject/cvelistV5/blob/main//cves/2025/30xxx/CVE-2025-30204.json | https://bugzilla.suse.com/show_bug.cgi?id=1240441 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3344 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3411 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3503 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3616 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3618 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3698 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3565 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3569 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3577 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3928 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3929 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3930 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3775 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3906 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3798 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3907 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:3790 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4019 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4008 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4012 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4250 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4204 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4177 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4211 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4462 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4473 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4502 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4511 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4569 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4669 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4409 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4422 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4810 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7404 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7407 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7425 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7475 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7479 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7503 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4677 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7967 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7702 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:8075 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:8244 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:8267 | https://bugzilla.redhat.com/show_bug.cgi?id=2354195 |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2025-30204 |
| go | https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp | https://github.com/golang/vulndb/blob/master/reports/GO-2025-3553.yaml |
| go | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 | https://github.com/golang/vulndb/blob/master/reports/GO-2025-3553.yaml |
| osv | https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp | https://osv.dev/vulnerability/CVE-2025-30204 |
| osv | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 | https://osv.dev/vulnerability/CVE-2025-30204 |
| osv | https://security-tracker.debian.org/tracker/CVE-2025-30204 | https://osv.dev/vulnerability/CVE-2025-30204 |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2025-30204 | https://explore.alas.aws.amazon.com/CVE-2025-30204.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30204 | https://explore.alas.aws.amazon.com/CVE-2025-30204.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 |  | security-advisories.github.com |
|  |  | https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb |  | security-advisories.github.com |
|  |  | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 |  | suse_bugzilla |
|  |  | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 |  | go |
|  |  | https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 |  | osv |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  golang-jwt是JSON Web Tokens的Go实现。从3.2.0版开始，在5.2.2和4.5.2版之前，函数parse.ParseUnverified在句点上拆分（通过对strings.Split的调用）其参数（这是不可信的数据）。因此，面对授权标头由Bearer后跟许多句点字符组成的恶意请求，对该函数的调用会导致分配O(n)个字节（其中n代表函数参数的长度），常数因子约为16。此问题已在5.2.2和4.5.2中修复。
 openEuler评分：
  7.5
 Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.master:受影响
2.openEuler-20.03-LTS-SP4:受影响
3.openEuler-22.03-LTS-SP3(2.3.0):受影响
4.openEuler-22.03-LTS-SP4(2.3.0):受影响
5.openEuler-24.03-LTS(2.8.0):受影响
6.openEuler-24.03-LTS-Next(2.8.0):受影响
7.openEuler-24.03-LTS-SP1(2.8.0):受影响
8.openEuler-24.03-LTS-SP2(2.8.0):受影响

修复是否涉及abi变化(是/否)：
  1.master:否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS-SP3(2.3.0):否
4.openEuler-22.03-LTS-SP4(2.3.0):否
5.openEuler-24.03-LTS(2.8.0):否
6.openEuler-24.03-LTS-Next(2.8.0):否
7.openEuler-24.03-LTS-SP1(2.8.0):否
8.openEuler-24.03-LTS-SP2(2.8.0):否

原因说明：
  1.master:暂不修复-暂无解决方案或补丁
2.openEuler-20.03-LTS-SP4:暂不修复-暂无解决方案或补丁
3.openEuler-22.03-LTS-SP3(2.3.0):暂不修复-暂无解决方案或补丁
4.openEuler-22.03-LTS-SP4(2.3.0):暂不修复-暂无解决方案或补丁
5.openEuler-24.03-LTS(2.8.0):暂不修复-暂无解决方案或补丁
6.openEuler-24.03-LTS-Next(2.8.0):暂不修复-暂无解决方案或补丁
7.openEuler-24.03-LTS-SP1(2.8.0):暂不修复-暂无解决方案或补丁
8.openEuler-24.03-LTS-SP2(2.8.0):暂不修复-暂无解决方案或补丁

src-openEuler/python-jwt

内容风险标识

评论 (6)

src-openEuler/python-jwt .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2025-30204

评论 (6)

搜索帮助

src-openEuler/python-jwt