INFSA-2025:19566: osbuild-composer security update
Information about definition
Identificator: INFSA-2025:19566
Type: security
Release date: 2025-11-07 21:23:58 UTC
Information about package
A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.
Vulnerabilities description
- CVE-2025-27144
A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-27144
|
no information | 7.5 | no information |
Updated packages
Preparing to download...