KrakenD v2.9.2 and v2.9.3 security releases
by Albert Lombarte
With just one day of difference two CVEs required the attention of KrakenD to publish new security versions.
KrakenD Enterprise 2.9.2 and KrakenD Community 2.9.2 have been released on March 4th and announced to customers via Slack/Email on that day before writing blog post. We strongly recommend all users using JWT validation upgrade to this version as soon as possible. The severity for this vulnerability is classified as moderate.
In addition, one day later, on March 5th, another CVE was published by the Go community, affecting the proxy package. This created a new release v2.9.3 to patch this vulnerability.
The fix on v2.9.2 addresses the CVE-2025-22868, which involves the JOSE package, the one responsible for validating JWT tokens. This vulnerability, when exploited, could allow a hacked JWT token to consume excessive memory during parsing, potentially impacting system stability. The fix is addressed both for the Enterprise and Community versions.
The fix on v2.9.3 addresses the CVE-2025-22870 related with the HTTP proxy component.
In addition, the Enterprise Edition includes two more fixes as depicted above.
🚀 Summary of changes for EEv2.9.2 (patch)
Security fixes to cover CVE-2025-22868 (mailformed JWT exploit)
- Upgraded JOSE package to fix CVE-2025-22868 (a malicious malformed token could causes unexpected memory to be consumed during parsing).
-
Fixed the
krakend checkcommand which did not properly parse cases involving dynamic routing - Removed a non-printable character from the Docker entrypoint that raised an error message on execution
Upgrading to the latest version is always advised.
🚀 Summary of changes for EEv2.9.3 (patch)
Security fix to cover CVE-2025-22870
-
Fix CVE-2025-22870 related with the
net/httppackage. No details of this vulnerability are public yet.
Upgrading to the latest version is always advised.