CVE-2025-22868 found in golang/golang.org/x/oauth2@v0.25.0
CVE-2025-22868 found in golang/golang.org/x/oauth2@v0.25.0
Important
Risk: 1.15 (Low)
CVSS: 7.5
Description
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
Affected component
The vulnerability is in pkg:golang/golang.org/x/oauth2@v0.25.0, detected by github.com/l3montree-dev/devguard/cmd/devguard-scanner/sca, github.com/l3montree-dev/devguard/cmd/devguard-scanner/container-scanning.
Recommended fix
Upgrade to version 0.27.0 or later.
Path to component
%%{init: { 'theme':'dark' } }%%
flowchart TD
go_mod["go.mod"] --> gitlab_opencode_de_open_code_badgebackend_badge_api["gitlab.opencode.de/open-code/badgebackend/badge-api"]
gitlab_opencode_de_open_code_badgebackend_badge_api["gitlab.opencode.de/open-code/badgebackend/badge-api"] --> gitlab_com_gitlab_org_api_client_go["gitlab.com/gitlab-org/api/client-go"]
gitlab_com_gitlab_org_api_client_go["gitlab.com/gitlab-org/api/client-go"] --> golang_org_x_oauth2["golang.org/x/oauth2"]
gitlab_opencode_de_open_code_badgebackend_badge_api["gitlab.opencode.de/open-code/badgebackend/badge-api"] --> github_com_prometheus_client_golang["github.com/prometheus/client_golang"]
github_com_prometheus_client_golang["github.com/prometheus/client_golang"] --> github_com_prometheus_common["github.com/prometheus/common"]
github_com_prometheus_common["github.com/prometheus/common"] --> golang_org_x_oauth2["golang.org/x/oauth2"]
gitlab_opencode_de_open_code_badgebackend_badge_api["gitlab.opencode.de/open-code/badgebackend/badge-api"] --> github_com_spf13_viper["github.com/spf13/viper"]
github_com_spf13_viper["github.com/spf13/viper"] --> github_com_sagikazarmark_locafero["github.com/sagikazarmark/locafero"]
github_com_sagikazarmark_locafero["github.com/sagikazarmark/locafero"] --> github_com_spf13_afero["github.com/spf13/afero"]
github_com_spf13_afero["github.com/spf13/afero"] --> golang_org_x_oauth2["golang.org/x/oauth2"]
github_com_spf13_viper["github.com/spf13/viper"] --> github_com_spf13_afero["github.com/spf13/afero"]
| Risk Factor | Value | Description |
|---|---|---|
| Vulnerability Depth | 3 |
The vulnerability is in a dependency of a dependency in your project. It is 3 levels deep. |
| EPSS | 0.00 % |
The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days. |
| EXPLOIT | Not available |
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability. |
| CVSS-BE | 9.3 |
- Exploiting this vulnerability significantly impacts availability. |
| CVSS-B | 7.5 |
- The vulnerability can be exploited over the network without needing physical access. - It is easy for an attacker to exploit this vulnerability. - An attacker does not need any special privileges or access rights. - No user interaction is needed for the attacker to exploit this vulnerability. - The impact is confined to the system where the vulnerability exists. - There is a high impact on the availability of the system. |
More details can be found in DevGuard
Interact with this vulnerability
You can use the following slash commands to interact with this vulnerability:
👍 Reply with this to acknowledge and accept the identified risk.
/accept I accept the risk of this vulnerability, because ...
⚠️ Mark the risk as false positive: Use one of these commands if you believe the reported vulnerability is not actually a valid issue.
/component-not-present The vulnerable component is not included in the artifact./vulnerable-code-not-present The component is present, but the vulnerable code is not included or compiled./vulnerable-code-not-in-execute-path The vulnerable code exists, but is never executed at runtime./vulnerable-code-cannot-be-controlled-by-adversary Built-in protections prevent exploitation of this vulnerability./inline-mitigations-already-exist The vulnerable code cannot be controlled or influenced by an attacker.
🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.
/reopen ... Edited by Ghost User