The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion.
{ "imports": [ { "path": "gopkg.in/square/go-jose.v1", "symbols": [ "JsonWebEncryption.Decrypt", "JsonWebKey.UnmarshalJSON", "JsonWebSignature.Verify", "ecDecrypterSigner.decryptKey", "rawJsonWebKey.ecPublicKey" ] }, { "path": "gopkg.in/square/go-jose.v1/cipher", "symbols": [ "DeriveECDHES", "NewConcatKDF", "cbcAEAD.Open", "cbcAEAD.Seal", "cbcAEAD.computeAuthTag", "padBuffer", "resize" ] } ] }