CVE-2025-22868 flagged in dependency golang.org/x/oauth2 (JWS token parsing) — impact on InfluxDB 1.12.2

[prathapkmpl-coder]

Description

Summary
We are seeing CVE-2025-22868 flagged in our vulnerability scans when using InfluxDB v1.12.2. The CVE refers to a memory-exhaustion issue triggered by a malformed token in the golang.org/x/oauth2/jws component. While the CVE is for that package, our scan reports it as part of InfluxDB. We need clarification on whether InfluxDB pulls in that vulnerable dependency, and if yes, whether it is updated or mitigated in this release.

What is CVE-2025-22868

• According to NVD, “An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.” ([nvd.nist.gov][1])
• It has a High severity (CVSS 3.1 score 7.5) ([nvd.nist.gov][1])
• The underlying issue is in golang.org/x/oauth2/jws versions before v0.27.0. ([wiz.io][2])
• The mitigation suggested by Go/Vuln DB is to upgrade the oauth2/JWS package to v0.27.0 or newer. ([pkg.go.dev][3])

What we observed

• We are using InfluxDB v1.12.2 (InfluxDB 1.x).

• Our internal vulnerability scanner reports CVE-2025-22868 (via an oauth2/JWS dependency).

• It is not clear which component or library inside InfluxDB is responsible for pulling that dependency.

• We need to determine:

  1. Does InfluxDB 1.12.2 vendor or import golang.org/x/oauth2/jws (directly or via other dependencies)?
  2. If yes, which version is being used? Is it prior to v0.27.0 (i.e. vulnerable)?
  3. If not used or not vulnerable, can we suppress or mark it as false-positive in scanner?
  4. If it is vulnerable, is there a plan / patch to update that dependency in InfluxDB 1.x?

Impact

• If the vulnerable code is included, there is a risk of Denial-of-Service (memory exhaustion) by providing malformed JWT tokens.
• Even if it’s not used by default in InfluxDB (or only in certain configurations), the scanner flag may block our compliance or deployment pipelines.

Request

• Please confirm whether InfluxDB 1.12.2 includes the vulnerable dependency (golang.org/x/oauth2/jws < v0.27.0).
• If yes, is there a backport or patch available (or planned) to upgrade that dependency?
• If no, can you provide guidance on how to suppress or ignore the finding safely?
• If yes and no patch, can you evaluate backporting the fix (or recommend workaround)?

[prathapkmpl-coder]

Could you please take a look at this issue and share your insights?

[jdstrand]

This is github.com/influxdata/edge/issues/877. From that issue: "For golang.org/x/oauth2, this is in the golang.org/x/oauth2/jws.Verify() function when verifying JSON web signatures (JWS). Prior to the update, a crafted JWS could be sent to strings.Split() to consume memory. plutonium imports golang.org/x/oauth2 but doesn't use golang.org/x/oauth2/jws.Verify() (as seen with strings). This could have been dismissed with 'code-not-used', but https://github.com/influxdata/plutonium/pull/4281 was merged for it."

Put another way, the issue didn't affect Enterprise 1.12.2 but we updated the library and that update will be in 1.12.3.