Asymmetric Resource Consumption (Amplification)

Summary

The package golang-jwt is a Go implementation of JSON Web Tokens. The function `parse.ParseUnverified` splits (via a call to `strings.Split`) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of `Bearer` followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue affects versions prior to 4.5.2, 5.x prior to 5.2.2.