File 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch of Package docker-stable
From fd9e9c4ed1fb52dc66c342366c1e6ebfab9fb671 Mon Sep 17 00:00:00 2001
From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
Date: Thu, 5 Feb 2026 13:33:44 +0530
Subject: [PATCH] CVE-2025-30204 fix: Remove strings.Split and add parseToken
function
--
CVE-2025-30204
golang-jwt is a Go implementation of JSON Web Tokens. Starting in
version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function
parse.ParseUnverified splits (via a call to strings.Split) its argument
(which is untrusted data) on periods. As a result, in the face of a
malicious request whose Authorization header consists of Bearer
followed by many period characters, a call to that function incurs
allocations to the tune of O(n) bytes (where n stands for the length
of the function's argument), with a constant factor of about 16.
This issue is fixed in 5.2.2 and 4.5.2.
reference commit: https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
Fixes bsc#1240513
Fixes CVE-2025-30204
---
vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++--
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
index 2f61a69d7f..9484f285f7 100644
--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)
+const tokenDelimiter = "."
+
type Parser struct {
// If populated, only these methods will be considered valid.
//
@@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}
token = &Token{Raw: tokenString}
@@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
--
2.52.0
