CVE-2025-30204: 
Docker vulnerability analysis and mitigation

CVE-2025-30204 affects golang-jwt, a Go implementation of JSON Web Tokens, in versions prior to 5.2.2 and 4.5.2. The vulnerability was discovered and disclosed on March 21, 2025. The issue lies in the parse.ParseUnverified function which processes untrusted data in Authorization headers (GitHub Advisory).

The vulnerability stems from the parse.ParseUnverified function's implementation, which uses strings.Split to parse tokens on period characters. When processing a malicious request containing an Authorization header with Bearer followed by numerous period characters, the function performs memory allocations of O(n) bytes, where n is the argument length, with a constant factor of approximately 16. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The primary impact of this vulnerability is the potential for excessive memory allocation, which could lead to resource exhaustion. When exploited, it can affect system availability by consuming disproportionate amounts of memory resources (GitHub Advisory).

The vulnerability has been fixed in golang-jwt versions 5.2.2 and 4.5.2. The fix involves replacing the strings.Split implementation with a more efficient token parsing mechanism that prevents excessive memory allocation (GitHub Commit, Red Hat Advisory).