Summary
Update github.com/golang-jwt/jwt/v5 from v5.2.1 to v5.2.2 or later (v5.3.0 available) to address HIGH severity vulnerability GHSA-mh63-6h87-95cp.
Vulnerability Details
- CVE: GHSA-mh63-6h87-95cp
- Severity: HIGH (CVSS 7.5)
- Issue: Excessive memory allocation during header parsing when processing untrusted JWT tokens
- Current Version: v5.2.1 (vulnerable)
- Fixed In: v5.2.2+
- Latest Version: v5.3.0
Affected Files
go.mod (repository root)deploy/operator/go.mod
Remediation Steps
Since this is a transitive dependency, identify and update the direct dependencies that pull it in, or add a replace directive to force the fixed version:
# For root go.mod
cd <repo-root>
go get github.com/golang-jwt/jwt/v5@v5.3.0
go mod tidy
go test ./...
# For operator go.mod
cd deploy/operator
go get github.com/golang-jwt/jwt/v5@v5.3.0
go mod tidy
go test ./...
References
This issue was created as a follow-up to the security review in PR jumpstarter-dev/jumpstarter-controller#170 at the request of @mangelajo.
Summary
Update
github.com/golang-jwt/jwt/v5from v5.2.1 to v5.2.2 or later (v5.3.0 available) to address HIGH severity vulnerability GHSA-mh63-6h87-95cp.Vulnerability Details
Affected Files
go.mod(repository root)deploy/operator/go.modRemediation Steps
Since this is a transitive dependency, identify and update the direct dependencies that pull it in, or add a replace directive to force the fixed version:
References
This issue was created as a follow-up to the security review in PR jumpstarter-dev/jumpstarter-controller#170 at the request of @mangelajo.