Vulnerability Report: GO-2024-2632

CVE-2024-28122, GHSA-hj3v-m684-v259
Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
Published: May 20, 2024

An attacker with a trusted public key may cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

For detailed information about this vulnerability, visit https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259.

Affected Packages

Path

Go Versions

Symbols
github.com/lestrrat-go/jwx/jwe

before v1.2.29
- Decrypt
- Message.Decrypt
github.com/lestrrat-go/jwx/v2/jwe

before v2.0.21
- Decrypt
- Settings

Aliases

CVE-2024-28122
GHSA-hj3v-m684-v259

References

https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259
https://github.com/lestrrat-go/jwx/commit/d01027d74c7376d66037a10f4f64af9af26a7e34
https://github.com/lestrrat-go/jwx/commit/d43f2ceb7f0c13714dfe8854d6439766e86faa76
https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29
https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21
https://vuln.go.dev/ID/GO-2024-2632.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL