This advisory covers security fixes in OpenShift API for Data Protection (OADP) 1.3.7 for Red Hat Enterprise Linux 9 across multiple architectures. The update addresses three vulnerabilities: CVE-2024-45338 involves non-linear parsing of case-insensitive content in the golang.org/x/net/html package; CVE-2025-22868 involves unexpected memory consumption during token parsing in golang.org/x/oauth2/jws; and CVE-2025-30204 involves excessive memory allocation during JWT header parsing in golang-jwt/jwt. These issues relate to improper memory handling that could be exploited to cause excessive resource use. The advisory references Red Hat's errata RHSA-2025:9646 and provides instructions to apply the update after prior errata. No CVSS scores are provided in the advisory, but the severity is rated as Important by Red Hat Product Security.

The vulnerabilities fixed in this update could allow an attacker to cause unexpected or excessive memory consumption during parsing operations within OADP components, potentially leading to denial of service or resource exhaustion. There are no reports of active exploitation in the wild. The impact is rated as Important by Red Hat, indicating a significant security concern but not critical. The vulnerabilities affect backup and restore functionality related to application resources and persistent volume data in OpenShift environments.

Red Hat has released an official security update for OpenShift API for Data Protection (OADP) version 1.3.7 that addresses these vulnerabilities. Users should apply this update promptly after ensuring all previously released errata relevant to their system are installed. Detailed update instructions are available in the Red Hat advisory RHSA-2025:9646 and related documentation. No alternative mitigations or workarounds are indicated in the advisory.