CVE-2025-22868: Unexpected memory consumption during token parsing in golang.org/x/oauth2
Summary We have encountered a security vulnerability being reported by our scanners for Traefik 2.11.22. - https://security.snyk.io/vuln/SNYK-CHAINGUARDLATEST-TRAEFIK33-9403297
Details It seems to target oauth2/jws library.
PoC No steps to replicate this vulnerability
Impact We have a strict control on security and we always try to stay up-to-date with the fixes received for third-party solutions.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.24 - https://github.com/traefik/traefik/releases/tag/v3.3.6 - https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
Other sources
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
— MITRE
Unexpected memory consumption during token parsing in golang.org/x/oauth2
— Microsoft
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2025-22868?
CVE-2025-22868 has been classified as a medium severity vulnerability due to its potential impact on memory consumption during token parsing.
How do I fix CVE-2025-22868?
To fix CVE-2025-22868, it is recommended to update to the latest version of Google OAuth2 that addresses this vulnerability.
What type of attacks can exploit CVE-2025-22868?
CVE-2025-22868 can be exploited through the use of malicious malformed tokens that can lead to unexpected memory consumption.
Which software is affected by CVE-2025-22868?
CVE-2025-22868 specifically affects Google OAuth2 implementations.
What are the potential consequences of CVE-2025-22868?
The potential consequences of CVE-2025-22868 include application crashes or denial of service due to excessive memory usage.