AIKIDO-2025-10522
github.com/coreos/go-oidc/v3 is vulnerable to Denial of Service (DoS)
50
Medium Risk
This Affects:
github.com/coreos/go-oidc/v3TL;DR
Affected versions are vulnerable to Denial of Service (DoS) due to inefficient handling of malicious ID tokens. Specifically, the package attempts to parse claims from the token before validating it, which allows an attacker to supply a specially crafted invalid token that triggers excessive memory allocation. This can lead to resource exhaustion and potential application crashes. The updated logic addresses this by validating the ID token before attempting to parse claims, reducing the risk of exploitation through malicious input.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/coreos/go-oidc/v3 is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 3.14.1.
How to fix this
Upgrade the github.com/coreos/go-oidc/v3 library to the patch version.
Links
GitHub Releases
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant