jwt-go allows excessive memory allocation during header parsing

[xylplm]

Transitive dependency github.com/golang-jwt/jwt v3.2.2+incompatible is introduced via
github.com/cloudwego/eino-ext/callbacks/cozeloop v0.1.7 ... github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/cloudwego/eino-ext/callbacks/cozeloop v0.1.7 github.com/golang-jwt/jwt v3.2.2+incompatible
github.com/coze-dev/cozeloop-go v0.1.17 github.com/golang-jwt/jwt v3.2.2+incompatible
Package
Affected versions
Patched version
github.com/golang-jwt/jwt
(Go)

= 3.2.0, <= 3.2.2
None
Summary
Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)Bearer

Details
See parse.ParseUnverified

Impact
Excessive memory allocation

建议升级golang-jwt/jwt 3.2到最新的https://pkg.go.dev/github.com/golang-jwt/jwt/v5

[JqRrt]

We have received your suggestion and will arrange for an upgrade in the near future.

[sjy3]

@JqRrt I'm encountering the same problem. Would it be possible for us to carry out the upgrade promptly?