AIKIDO-2025-10844
github.com/auth0/go-jwt-middleware/v2 is vulnerable to Denial of Service (DoS)
60
Medium Risk
This Affects:
github.com/auth0/go-jwt-middleware/v2TL;DR
Affected versions of this package are vulnerable to Denial of Service (DoS) due to CVE-2025-27144 in go-jose v2, which can be exploited using malicious JWTs crafted with excessive dot separators or oversized payloads that trigger uncontrolled memory allocation during parsing. This patch adds defense-in-depth protections by rejecting tokens with more than five dots, enforcing a 1MB size limit, and updating dependencies. Because go-jose v2 is archived and will not be patched, full remediation will only be completed in v3 when the library migrates to lestrrat-go/jwx.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/auth0/go-jwt-middleware/v2 is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 2.3.0.
How to fix this
Upgrade the github.com/auth0/go-jwt-middleware/v2 library to the patch version.
Links
GitHub Releases
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant