How severe is CVE-2025-27144?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-27144?

This is classified as CWE-770, which is a common weakness in software security.

CVE-2025-27144 - MEDIUM Severity | CVSS N/A

Vulnerability Description

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

Related Vulnerabilities

CVE-2018-20033

CRITICAL

CVSS:9.8(Critical)

A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow a remote attacker to corrupt the memory by allocating / deall...

CWE-7702018

CVE-2019-17067

CRITICAL

CVSS:9.8(Critical)

PuTTY before 0.73 on Windows improperly opens port-forwarding listening sockets, which allows attackers to listen on the same port to steal an incoming connection.

CWE-7702019

CVE-2023-25156

CRITICAL

CVSS:9.8(Critical)

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrad...

CWE-7702023

CVE-2023-38507

CRITICAL

CVSS:9.8(Critical)

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. The...

CWE-7702023

CVE-2024-44241

CRITICAL

CVSS:9.8(Critical)

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP ...

CWE-7702024

CVE-2021-41591

CRITICAL

CVSS:9.4(Critical)

ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure.

CWE-7702021