csaf_redhat - rhsa-2025:3593

rhsa-2025:3593

Vulnerability from csaf_redhat

Published

2025-04-03 13:38

Modified

2025-04-29 03:43

Summary

Red Hat Security Advisory: opentelemetry-collector security update

Notes

Topic

An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Collector with the supported components for a Red Hat build of OpenTelemetry Security Fix(es): * golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336) * go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input (CVE-2025-29786) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "An update for opentelemetry-collector is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Collector with the supported components for a Red Hat build of OpenTelemetry\n\nSecurity Fix(es):\n\n* golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect (CVE-2024-45336)\n\n* go-jose: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144)\n\n* golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868)\n\n* github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input (CVE-2025-29786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2025:3593",
            url: "https://access.redhat.com/errata/RHSA-2025:3593",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "2341751",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2341751",
         },
         {
            category: "external",
            summary: "2347423",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2347423",
         },
         {
            category: "external",
            summary: "2348366",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2348366",
         },
         {
            category: "external",
            summary: "2352914",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2352914",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3593.json",
         },
      ],
      title: "Red Hat Security Advisory: opentelemetry-collector security update",
      tracking: {
         current_release_date: "2025-04-29T03:43:27+00:00",
         generator: {
            date: "2025-04-29T03:43:27+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.4.3",
            },
         },
         id: "RHSA-2025:3593",
         initial_release_date: "2025-04-03T13:38:52+00:00",
         revision_history: [
            {
               date: "2025-04-03T13:38:52+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2025-04-03T13:38:52+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2025-04-29T03:43:27+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                        product: {
                           name: "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                           product_id: "AppStream-9.4.0.Z.EUS",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:rhel_eus:9.4::appstream",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Enterprise Linux",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "opentelemetry-collector-0:0.107.0-7.el9_4.src",
                        product: {
                           name: "opentelemetry-collector-0:0.107.0-7.el9_4.src",
                           product_id: "opentelemetry-collector-0:0.107.0-7.el9_4.src",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/opentelemetry-collector@0.107.0-7.el9_4?arch=src",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "src",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                        product: {
                           name: "opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                           product_id: "opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/opentelemetry-collector@0.107.0-7.el9_4?arch=aarch64",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                        product: {
                           name: "opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                           product_id: "opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/opentelemetry-collector@0.107.0-7.el9_4?arch=ppc64le",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
                        product: {
                           name: "opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
                           product_id: "opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/opentelemetry-collector@0.107.0-7.el9_4?arch=x86_64",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                        product: {
                           name: "opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                           product_id: "opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                           product_identification_helper: {
                              purl: "pkg:rpm/redhat/opentelemetry-collector@0.107.0-7.el9_4?arch=s390x",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "opentelemetry-collector-0:0.107.0-7.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
               product_id: "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
            },
            product_reference: "opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
            relates_to_product_reference: "AppStream-9.4.0.Z.EUS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
               product_id: "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
            },
            product_reference: "opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
            relates_to_product_reference: "AppStream-9.4.0.Z.EUS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "opentelemetry-collector-0:0.107.0-7.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
               product_id: "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
            },
            product_reference: "opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
            relates_to_product_reference: "AppStream-9.4.0.Z.EUS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "opentelemetry-collector-0:0.107.0-7.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
               product_id: "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
            },
            product_reference: "opentelemetry-collector-0:0.107.0-7.el9_4.src",
            relates_to_product_reference: "AppStream-9.4.0.Z.EUS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "opentelemetry-collector-0:0.107.0-7.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
               product_id: "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
            },
            product_reference: "opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
            relates_to_product_reference: "AppStream-9.4.0.Z.EUS",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2024-45336",
         cwe: {
            id: "CWE-200",
            name: "Exposure of Sensitive Information to an Unauthorized Actor",
         },
         discovery_date: "2025-01-23T12:57:38.123000+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2341751",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the net/http package of the Golang standard library. The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to `a.com/` containing an Authorization header redirected to `b.com/` will not send that header to `b.com`. However, the sensitive headers would be restored if the client received a subsequent same-domain redirect. For example, a chain of redirects from `a.com/`, to `b.com/1`, and finally to `b.com/2` would incorrectly send the Authorization header to `b.com/2`.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-45336",
            },
            {
               category: "external",
               summary: "RHBZ#2341751",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2341751",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-45336",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-45336",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-45336",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-45336",
            },
         ],
         release_date: "2025-01-17T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2025-04-03T13:38:52+00:00",
               details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2025:3593",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect",
      },
      {
         acknowledgments: [
            {
               names: [
                  "jub0bs",
               ],
            },
         ],
         cve: "CVE-2025-22868",
         cwe: {
            id: "CWE-1286",
            name: "Improper Validation of Syntactic Correctness of Input",
         },
         discovery_date: "2025-02-26T04:00:44.350024+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2348366",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the `golang.org/x/oauth2/jws` package in the token parsing component. This vulnerability is made possible because of the use of `strings.Split(token, \".\")` to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2025-22868",
            },
            {
               category: "external",
               summary: "RHBZ#2348366",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2348366",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2025-22868",
               url: "https://www.cve.org/CVERecord?id=CVE-2025-22868",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2025-22868",
            },
            {
               category: "external",
               summary: "https://go.dev/cl/652155",
               url: "https://go.dev/cl/652155",
            },
            {
               category: "external",
               summary: "https://go.dev/issue/71490",
               url: "https://go.dev/issue/71490",
            },
            {
               category: "external",
               summary: "https://pkg.go.dev/vuln/GO-2025-3488",
               url: "https://pkg.go.dev/vuln/GO-2025-3488",
            },
         ],
         release_date: "2025-02-26T03:07:49.012000+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2025-04-03T13:38:52+00:00",
               details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2025:3593",
            },
            {
               category: "workaround",
               details: "To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to `go-jose` to check that they do not contain an excessive amount of `.` characters.",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws",
      },
      {
         cve: "CVE-2025-27144",
         cwe: {
            id: "CWE-770",
            name: "Allocation of Resources Without Limits or Throttling",
         },
         discovery_date: "2025-02-24T23:00:42.448432+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2347423",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "go-jose: Go JOSE's Parsing Vulnerable to Denial of Service",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2025-27144",
            },
            {
               category: "external",
               summary: "RHBZ#2347423",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2347423",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2025-27144",
               url: "https://www.cve.org/CVERecord?id=CVE-2025-27144",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2025-27144",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2025-27144",
            },
            {
               category: "external",
               summary: "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
               url: "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
            },
            {
               category: "external",
               summary: "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
               url: "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
            },
            {
               category: "external",
               summary: "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
               url: "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
            },
         ],
         release_date: "2025-02-24T22:22:22.863000+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2025-04-03T13:38:52+00:00",
               details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2025:3593",
            },
            {
               category: "workaround",
               details: "As a workaround, applications can pre-validate that payloads being passed to Go JOSE do not contain an excessive number of `.` characters.",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "go-jose: Go JOSE's Parsing Vulnerable to Denial of Service",
      },
      {
         cve: "CVE-2025-29786",
         cwe: {
            id: "CWE-770",
            name: "Allocation of Resources Without Limits or Throttling",
         },
         discovery_date: "2025-03-17T14:00:59.078419+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2352914",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Expr. This vulnerability allows excessive memory usage and potential out-of-memory (OOM) crashes via unbounded input strings, where a malicious or inadvertent large expression can cause the parser to construct an extremely large Abstract Syntax Tree (AST), consuming excessive memory.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
               "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2025-29786",
            },
            {
               category: "external",
               summary: "RHBZ#2352914",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2352914",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2025-29786",
               url: "https://www.cve.org/CVERecord?id=CVE-2025-29786",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2025-29786",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2025-29786",
            },
            {
               category: "external",
               summary: "https://github.com/expr-lang/expr/pull/762",
               url: "https://github.com/expr-lang/expr/pull/762",
            },
            {
               category: "external",
               summary: "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2",
               url: "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2",
            },
         ],
         release_date: "2025-03-17T13:15:32.836000+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2025-04-03T13:38:52+00:00",
               details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2025:3593",
            },
            {
               category: "workaround",
               details: "To mitigate this vulnerability, it is recommended to impose an input size restriction before parsing (i.e. validating or limiting the length of expression strings that the application will accept). Ensuring no unbounded-length expressions are fed into the parser will prevent the parser from constructing a very large AST and avoid the potential memory exhaustion issue.",
               product_ids: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.aarch64",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.ppc64le",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.s390x",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.src",
                  "AppStream-9.4.0.Z.EUS:opentelemetry-collector-0:0.107.0-7.el9_4.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input",
      },
   ],
}

cve-2025-27144

Vulnerability from cvelistv5

Published

2025-02-24 22:22

Modified

2025-02-25 14:27

Severity ?

6.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Summary

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

References

▼	URL	Tags
	https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78	x_refsource_CONFIRM
	https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22	x_refsource_MISC
	https://github.com/go-jose/go-jose/releases/tag/v4.0.5	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	go-jose	go-jose	Version: >= 4.0.0, < 4.0.5

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2025-27144",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-02-25T14:26:42.682392Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-02-25T14:27:04.978Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "go-jose",
               vendor: "go-jose",
               versions: [
                  {
                     status: "affected",
                     version: ">= 4.0.0, < 4.0.5",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.",
            },
         ],
         metrics: [
            {
               cvssV4_0: {
                  attackComplexity: "LOW",
                  attackRequirements: "NONE",
                  attackVector: "NETWORK",
                  baseScore: 6.6,
                  baseSeverity: "MEDIUM",
                  privilegesRequired: "NONE",
                  subAvailabilityImpact: "NONE",
                  subConfidentialityImpact: "NONE",
                  subIntegrityImpact: "NONE",
                  userInteraction: "NONE",
                  vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
                  version: "4.0",
                  vulnAvailabilityImpact: "HIGH",
                  vulnConfidentialityImpact: "NONE",
                  vulnIntegrityImpact: "NONE",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-770",
                     description: "CWE-770: Allocation of Resources Without Limits or Throttling",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-02-24T22:22:22.863Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78",
            },
            {
               name: "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22",
            },
            {
               name: "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/go-jose/go-jose/releases/tag/v4.0.5",
            },
         ],
         source: {
            advisory: "GHSA-c6gw-w398-hv78",
            discovery: "UNKNOWN",
         },
         title: "Go JOSE's Parsing Vulnerable to Denial of Service",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2025-27144",
      datePublished: "2025-02-24T22:22:22.863Z",
      dateReserved: "2025-02-19T16:30:47.777Z",
      dateUpdated: "2025-02-25T14:27:04.978Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2025-22868

Vulnerability from cvelistv5

Published

2025-02-26 03:07

Modified

2025-02-26 14:46

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

References

▼	URL	Tags
	https://go.dev/cl/652155
	https://go.dev/issue/71490
	https://pkg.go.dev/vuln/GO-2025-3488

Impacted products

	Vendor	Product	Version
	golang.org/x/oauth2	golang.org/x/oauth2/jws	Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 7.5,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "NONE",
                     integrityImpact: "NONE",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2025-22868",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-02-26T14:45:27.246610Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-1286",
                        description: "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-02-26T14:46:20.671Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://pkg.go.dev",
               defaultStatus: "unaffected",
               packageName: "golang.org/x/oauth2/jws",
               product: "golang.org/x/oauth2/jws",
               programRoutines: [
                  {
                     name: "Verify",
                  },
               ],
               vendor: "golang.org/x/oauth2",
               versions: [
                  {
                     lessThan: "0.27.0",
                     status: "affected",
                     version: "0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "jub0bs",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "CWE-1286: Improper Validation of Syntactic Correctness of Input",
                     lang: "en",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-02-26T03:07:49.012Z",
            orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc",
            shortName: "Go",
         },
         references: [
            {
               url: "https://go.dev/cl/652155",
            },
            {
               url: "https://go.dev/issue/71490",
            },
            {
               url: "https://pkg.go.dev/vuln/GO-2025-3488",
            },
         ],
         title: "Unexpected memory consumption during token parsing in golang.org/x/oauth2",
      },
   },
   cveMetadata: {
      assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc",
      assignerShortName: "Go",
      cveId: "CVE-2025-22868",
      datePublished: "2025-02-26T03:07:49.012Z",
      dateReserved: "2025-01-08T19:11:42.834Z",
      dateUpdated: "2025-02-26T14:46:20.671Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2024-45336

Vulnerability from cvelistv5

Published

2025-01-28 01:03

Modified

2025-02-21 18:03

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

References

▼	URL	Tags
	https://go.dev/cl/643100
	https://go.dev/issue/70530
	https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
	https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
	https://pkg.go.dev/vuln/GO-2025-3420

Impacted products

	Vendor	Product	Version
	Go standard library	net/http	Version: 0 ≤ Version: 1.23.0-0 ≤ Version: 1.24.0-0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "NONE",
                     baseScore: 6.1,
                     baseSeverity: "MEDIUM",
                     confidentialityImpact: "LOW",
                     integrityImpact: "LOW",
                     privilegesRequired: "NONE",
                     scope: "CHANGED",
                     userInteraction: "REQUIRED",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2024-45336",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-28T14:56:59.058895Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-28T15:16:38.044Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2025-02-21T18:03:31.299Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "https://security.netapp.com/advisory/ntap-20250221-0003/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://pkg.go.dev",
               defaultStatus: "unaffected",
               packageName: "net/http",
               product: "net/http",
               programRoutines: [
                  {
                     name: "Client.do",
                  },
                  {
                     name: "Client.makeHeadersCopier",
                  },
                  {
                     name: "shouldCopyHeaderOnRedirect",
                  },
                  {
                     name: "Client.Do",
                  },
                  {
                     name: "Client.Get",
                  },
                  {
                     name: "Client.Head",
                  },
                  {
                     name: "Client.Post",
                  },
                  {
                     name: "Client.PostForm",
                  },
                  {
                     name: "Get",
                  },
                  {
                     name: "Head",
                  },
                  {
                     name: "Post",
                  },
                  {
                     name: "PostForm",
                  },
               ],
               vendor: "Go standard library",
               versions: [
                  {
                     lessThan: "1.22.11",
                     status: "affected",
                     version: "0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "1.23.5",
                     status: "affected",
                     version: "1.23.0-0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "1.24.0-rc.2",
                     status: "affected",
                     version: "1.24.0-0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Kyle Seely",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "CWE-116: Improper Encoding or Escaping of Output",
                     lang: "en",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-01-30T19:14:21.805Z",
            orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc",
            shortName: "Go",
         },
         references: [
            {
               url: "https://go.dev/cl/643100",
            },
            {
               url: "https://go.dev/issue/70530",
            },
            {
               url: "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ",
            },
            {
               url: "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ",
            },
            {
               url: "https://pkg.go.dev/vuln/GO-2025-3420",
            },
         ],
         title: "Sensitive headers incorrectly sent after cross-domain redirect in net/http",
      },
   },
   cveMetadata: {
      assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc",
      assignerShortName: "Go",
      cveId: "CVE-2024-45336",
      datePublished: "2025-01-28T01:03:24.869Z",
      dateReserved: "2024-08-27T19:41:58.555Z",
      dateUpdated: "2025-02-21T18:03:31.299Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2025-29786

Vulnerability from cvelistv5

Published

2025-03-17 13:15

Modified

2025-03-17 13:29

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.

References

▼	URL	Tags
	https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2	x_refsource_CONFIRM
	https://github.com/expr-lang/expr/pull/762	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	expr-lang	expr	Version: < 1.17.0

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2025-29786",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-17T13:29:22.591802Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-17T13:29:29.177Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "expr",
               vendor: "expr-lang",
               versions: [
                  {
                     status: "affected",
                     version: "< 1.17.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to*excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur. The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition. For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed into the parser, one can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-770",
                     description: "CWE-770: Allocation of Resources Without Limits or Throttling",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-17T13:15:32.836Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/expr-lang/expr/security/advisories/GHSA-93mq-9ffx-83m2",
            },
            {
               name: "https://github.com/expr-lang/expr/pull/762",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/expr-lang/expr/pull/762",
            },
         ],
         source: {
            advisory: "GHSA-93mq-9ffx-83m2",
            discovery: "UNKNOWN",
         },
         title: "Memory Exhaustion in Expr Parser with Unrestricted Input",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2025-29786",
      datePublished: "2025-03-17T13:15:32.836Z",
      dateReserved: "2025-03-11T14:23:00.476Z",
      dateUpdated: "2025-03-17T13:29:29.177Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2025:3593

Vulnerability from csaf_redhat

cve-2025-27144

Vulnerability from cvelistv5

cve-2025-22868

Vulnerability from cvelistv5

cve-2024-45336

Vulnerability from cvelistv5

cve-2025-29786

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature