Commit d3114c8
authored
Update module github.com/golang-jwt/jwt/v5 to v5.2.2 [SECURITY] (#4516)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[github.com/golang-jwt/jwt/v5](https://redirect.github.com/golang-jwt/jwt)
| `v5.2.1` -> `v5.2.2` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-30204](https://redirect.github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp)
### Summary
Function
[`parse.ParseUnverified`](https://redirect.github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)
currently splits (via a call to
[strings.Split](https://pkg.go.dev/strings#Split)) its argument (which
is untrusted data) on periods.
As a result, in the face of a malicious request whose _Authorization_
header consists of `Bearer ` followed by many period characters, a call
to that function incurs allocations to the tune of O(n) bytes (where n
stands for the length of the function's argument), with a constant
factor of about 16. Relevant weakness: [CWE-405: Asymmetric Resource
Consumption
(Amplification)](https://cwe.mitre.org/data/definitions/405.html)
### Details
See
[`parse.ParseUnverified`](https://redirect.github.com/golang-jwt/jwt/blob/c035977d9e11c351f4c05dfeae193923cbab49ee/parser.go#L138-L139)
### Impact
Excessive memory allocation
---
### Release Notes
<details>
<summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary>
###
[`v5.2.2`](https://redirect.github.com/golang-jwt/jwt/releases/tag/v5.2.2)
[Compare
Source](https://redirect.github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2)
#### What's Changed
- Fixed
GHSA-mh63-6h87-95cp
by [@​mfridman](https://redirect.github.com/mfridman)
- Fixed some typos by
[@​Ashikpaul](https://redirect.github.com/Ashikpaul) in
[https://github.com/golang-jwt/jwt/pull/382](https://redirect.github.com/golang-jwt/jwt/pull/382)
- build: add go1.22 to ci workflows by
[@​mfridman](https://redirect.github.com/mfridman) in
[https://github.com/golang-jwt/jwt/pull/383](https://redirect.github.com/golang-jwt/jwt/pull/383)
- Bump golangci/golangci-lint-action from 4 to 5 by
[@​dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golang-jwt/jwt/pull/387](https://redirect.github.com/golang-jwt/jwt/pull/387)
- Bump golangci/golangci-lint-action from 5 to 6 by
[@​dependabot](https://redirect.github.com/dependabot) in
[https://github.com/golang-jwt/jwt/pull/389](https://redirect.github.com/golang-jwt/jwt/pull/389)
- chore: bump ci tests to include go1.23 by
[@​mfridman](https://redirect.github.com/mfridman) in
[https://github.com/golang-jwt/jwt/pull/405](https://redirect.github.com/golang-jwt/jwt/pull/405)
- Fix jwt -show by
[@​AlexanderYastrebov](https://redirect.github.com/AlexanderYastrebov)
in
[https://github.com/golang-jwt/jwt/pull/406](https://redirect.github.com/golang-jwt/jwt/pull/406)
- docs: typo by [@​kvii](https://redirect.github.com/kvii) in
[https://github.com/golang-jwt/jwt/pull/407](https://redirect.github.com/golang-jwt/jwt/pull/407)
- Update SECURITY.md by
[@​oxisto](https://redirect.github.com/oxisto) in
[https://github.com/golang-jwt/jwt/pull/416](https://redirect.github.com/golang-jwt/jwt/pull/416)
- Update `jwt.Parse` example to use `jwt.WithValidMethods` by
[@​mattt](https://redirect.github.com/mattt) in
[https://github.com/golang-jwt/jwt/pull/425](https://redirect.github.com/golang-jwt/jwt/pull/425)
#### New Contributors
- [@​Ashikpaul](https://redirect.github.com/Ashikpaul) made their
first contribution in
[https://github.com/golang-jwt/jwt/pull/382](https://redirect.github.com/golang-jwt/jwt/pull/382)
- [@​kvii](https://redirect.github.com/kvii) made their first
contribution in
[https://github.com/golang-jwt/jwt/pull/407](https://redirect.github.com/golang-jwt/jwt/pull/407)
- [@​mattt](https://redirect.github.com/mattt) made their first
contribution in
[https://github.com/golang-jwt/jwt/pull/425](https://redirect.github.com/golang-jwt/jwt/pull/425)
**Full Changelog**:
golang-jwt/jwt@v5.2.1...v5.2.2
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/Paris, Automerge
- At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cozy/cozy-stack).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->2 files changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | | - | |
| 20 | + | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
113 | 113 | | |
114 | 114 | | |
115 | 115 | | |
116 | | - | |
117 | | - | |
| 116 | + | |
| 117 | + | |
118 | 118 | | |
119 | 119 | | |
120 | 120 | | |
| |||
0 commit comments