Vulnerability Report: GO-2023-2334

GHSA-2c7c-3mj9-8fqh
Affects: github.com/go-jose/go-jose/v3, github.com/square/go-jose
Published: Nov 21, 2023
Modified: May 20, 2024

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Affected Packages

Path

Go Versions

Symbols
github.com/go-jose/go-jose/v3

before v3.0.1
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
github.com/square/go-jose

all versions, no known fixed
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti

Aliases

GHSA-2c7c-3mj9-8fqh

References

https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
https://github.com/go-jose/go-jose/issues/64
https://vuln.go.dev/ID/GO-2023-2334.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL