fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.2.2 [security] (release-0.32)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/golang-jwt/jwt/v5	require	patch	v5.2.1 -> v5.2.2

---

jwt-go allows excessive memory allocation during header parsing

CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553

More information

Details

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://nvd.nist.gov/vuln/detail/CVE-2025-30204
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
• https://github.com/golang-jwt/jwt

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553

More information

Details

Excessive memory allocation during header parsing in github.com/golang-jwt/jwt

Severity

Unknown

References

• https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp
• https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v5)

v5.2.2

Compare Source

What's Changed

• Fixed GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in https://github.com/golang-jwt/jwt/pull/382
• build: add go1.22 to ci workflows by @​mfridman in https://github.com/golang-jwt/jwt/pull/383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in https://github.com/golang-jwt/jwt/pull/387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in https://github.com/golang-jwt/jwt/pull/389
• chore: bump ci tests to include go1.23 by @​mfridman in https://github.com/golang-jwt/jwt/pull/405
• Fix jwt -show by @​AlexanderYastrebov in https://github.com/golang-jwt/jwt/pull/406
• docs: typo by @​kvii in https://github.com/golang-jwt/jwt/pull/407
• Update SECURITY.md by @​oxisto in https://github.com/golang-jwt/jwt/pull/416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in https://github.com/golang-jwt/jwt/pull/425

New Contributors

• @​Ashikpaul made their first contribution in https://github.com/golang-jwt/jwt/pull/382
• @​kvii made their first contribution in https://github.com/golang-jwt/jwt/pull/407
• @​mattt made their first contribution in https://github.com/golang-jwt/jwt/pull/425

Full Changelog: golang-jwt/jwt@v5.2.1...v5.2.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.