Skip to content

fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security]#41

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-golang-jwt-jwt-v4-vulnerability
Open

fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security]#41
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/go-github.com-golang-jwt-jwt-v4-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Nov 4, 2024

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/golang-jwt/jwt/v4 v4.5.0v4.5.2 age confidence

Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations

CVE-2024-51744 / GHSA-29wx-vh33-7x7r

More information

Details

Summary

Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

Fix

We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release.

Workaround

We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

token, err := /* jwt.Parse or similar */
if token.Valid {
	fmt.Println("You look nice today")
} else if errors.Is(err, jwt.ErrTokenMalformed) {
	fmt.Println("That's not even a token")
} else if errors.Is(err, jwt.ErrTokenUnverifiable) {
	fmt.Println("We could not verify this token")
} else if errors.Is(err, jwt.ErrTokenSignatureInvalid) {
	fmt.Println("This token has an invalid signature")
} else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) {
	// Token is either expired or not active yet
	fmt.Println("Timing is everything")
} else {
	fmt.Println("Couldn't handle this token:", err)
}

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204 / GHSA-mh63-6h87-95cp

More information

Details

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v4)

v4.5.2

Compare Source

See GHSA-mh63-6h87-95cp

Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2

v4.5.1

Compare Source

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

  • Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coveralls

coveralls commented Nov 4, 2024

Copy link
Copy Markdown

Coverage Report for CI Build 25022232093

Coverage remained the same at 63.399%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 306
Covered Lines: 194
Line Coverage: 63.4%
Coverage Strength: 2.51 hits per line

💛 - Coveralls

@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] Mar 22, 2025
@renovate renovate Bot force-pushed the renovate/go-github.com-golang-jwt-jwt-v4-vulnerability branch from 1b06a2a to 3f53900 Compare March 22, 2025 03:04
@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/go-github.com-golang-jwt-jwt-v4-vulnerability branch March 27, 2026 01:50
@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] - autoclosed fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-golang-jwt-jwt-v4-vulnerability branch 2 times, most recently from 3f53900 to 016b5c8 Compare March 30, 2026 21:45
@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] - autoclosed Apr 6, 2026
@renovate renovate Bot closed this Apr 6, 2026
@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] - autoclosed fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] Apr 6, 2026
@renovate renovate Bot reopened this Apr 6, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-golang-jwt-jwt-v4-vulnerability branch 2 times, most recently from 016b5c8 to 9ec941c Compare April 6, 2026 09:37
@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] - autoclosed fix(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.2 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-golang-jwt-jwt-v4-vulnerability branch 2 times, most recently from 9ec941c to 11297dc Compare April 27, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant