[Bug 1239233] New: VUL-0: CVE-2025-22868: traefik: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2
https://bugzilla.suse.com/show_bug.cgi?id=1239233 Bug ID: 1239233 Summary: VUL-0: CVE-2025-22868: traefik: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://smash.suse.de/issue/442876/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2025-22868:7.5:(AV:N/AC:L/PR:N/UI:N/ S:U/C:N/I:N/A:H) Severity: Major Priority: P5 - None Component: Security Assignee: alexandre.vicenzi@suse.com Reporter: andrea.mattiazzo@suse.com QA Contact: security-team@suse.de Blocks: 1239185 Target Milestone: --- Found By: --- Blocker: --- An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-22868 https://github.com/CVEProject/cvelistV5/blob/main//cves/2025/22xxx/CVE-2025-... https://bugzilla.redhat.com/show_bug.cgi?id=2348366 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1239233 https://bugzilla.suse.com/show_bug.cgi?id=1239233#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- The packages below are or contain embedded packages that are vulnerable to CVE-2025-22868: - openSUSE:Factory/traefik contains embedded package: golang.org/x/oauth2/jws (0.24.0) Please consider version bumping or patching the affected dependencies. The listed codestreams are affected. All other codestreams should not be affected, but feel free to double-check. This is a auto-generated message, please reach out to the reporter directly if you think this is incorrect. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1239233 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1239233 https://bugzilla.suse.com/show_bug.cgi?id=1239233#c2 Alexandre Vicenzi <alexandre.vicenzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|alexandre.vicenzi@suse.com |security-team@suse.de --- Comment #2 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- This was fixed in 3.3.6 [1]. Factory is now on 3.3.6 [2]. [1]: https://github.com/traefik/traefik/commit/e3caaf0791ecb3102d0f8c4e3acaab635f... [2]: https://build.opensuse.org/request/show/1271294 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com