chore(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security]

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/golang-jwt/jwt/v5	indirect	patch	v5.2.1 -> v5.2.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-30204

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

---

Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553

More information

Details

Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

Severity

Unknown

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553

More information

Details

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb
• https://github.com/golang-jwt/jwt
• https://security.netapp.com/advisory/ntap-20250404-0002

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in https://github.com/golang-jwt/jwt/pull/382
• build: add go1.22 to ci workflows by @​mfridman in https://github.com/golang-jwt/jwt/pull/383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in https://github.com/golang-jwt/jwt/pull/387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in https://github.com/golang-jwt/jwt/pull/389
• chore: bump ci tests to include go1.23 by @​mfridman in https://github.com/golang-jwt/jwt/pull/405
• Fix jwt -show by @​AlexanderYastrebov in https://github.com/golang-jwt/jwt/pull/406
• docs: typo by @​kvii in https://github.com/golang-jwt/jwt/pull/407
• Update SECURITY.md by @​oxisto in https://github.com/golang-jwt/jwt/pull/416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in https://github.com/golang-jwt/jwt/pull/425

New Contributors

• @​Ashikpaul made their first contribution in https://github.com/golang-jwt/jwt/pull/382
• @​kvii made their first contribution in https://github.com/golang-jwt/jwt/pull/407
• @​mattt made their first contribution in https://github.com/golang-jwt/jwt/pull/425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• go.mod is excluded by !**/*.mod
• go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/go-github.com-golang-jwt-jwt-v5-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[flemzord]

LGTM