INFSA-2025:7503: osbuild-composer security update

Information about definition

Identificator: INFSA-2025:7503

Type: security

Release date: 2025-07-15 19:40:52 UTC

Information about package

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Vulnerabilities description

  • CVE-2025-30204

    A flaw was found in the golang-jwt implementation of JSON Web Tokens (JWT). In affected versions, a malicious request with specially crafted Authorization header data may trigger an excessive consumption of resources on the host system. This issue can cause significant performance degradation or an application crash, leading to a denial of service.

Severity level

CVE Score CVSS 2.0 Score CVSS 3.x Score CVSS 4.0
Critical, important, moderate, low

Updated packages