[🐸 Frogbot] Update version of golang.org/x/oauth2 to 0.27.0

[github-actions]

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
High	CVE-2025-22868	Not Applicable	github.com/jfrog/froggit-go:v1.16.2 github.com/jfrog/jfrog-cli-security:v1.14.1 github.com/ktrysmt/go-bitbucket:v0.9.80 golang.org/x/oauth2:v0.20.0	golang.org/x/oauth2 v0.20.0	[0.27.0]

🔖 Details

Vulnerability Details

Jfrog Research Severity:	Medium
Contextual Analysis:	Not Applicable
Direct Dependencies:	github.com/jfrog/froggit-go:v1.16.2, github.com/jfrog/jfrog-cli-security:v1.14.1, github.com/ktrysmt/go-bitbucket:v0.9.80, golang.org/x/oauth2:v0.20.0
Impacted Dependency:	golang.org/x/oauth2:v0.20.0
Fixed Versions:	[0.27.0]
CVSS V3:	7.5

Unbounded resource consumption in Go's x/oauth2/jws can lead to denial of service when an attacker client sends a malformed token.

🔬 JFrog Research Details

Description:
A design bug in Go x/oauth2/jws module may lead to denial of service when an attacker sends a malformed token to a server.

The Verify function of Go's JWS module starts with:

func Verify(token string, key *rsa.PublicKey) error {
	parts := strings.Split(token, ".")
	if len(parts) != 3 {
		return errors.New("jws: invalid token received, token must have 3 parts")
	}

If an attacker sends a token which has many dots (e.g. 100000) the strings.Split() function might crash due to unexpected memory consumption which may lead to DoS.

---

🐸 JFrog Frogbot