An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2024-2631" }
{ "imports": [ { "path": "github.com/go-jose/go-jose/v4", "symbols": [ "JSONWebEncryption.Decrypt", "JSONWebEncryption.DecryptMulti", "inflate" ] } ] }
{ "imports": [ { "path": "github.com/go-jose/go-jose/v3", "symbols": [ "JSONWebEncryption.Decrypt", "JSONWebEncryption.DecryptMulti", "inflate" ] } ] }
{ "imports": [ { "path": "gopkg.in/go-jose/go-jose.v2", "symbols": [ "JSONWebEncryption.Decrypt", "JSONWebEncryption.DecryptMulti", "inflate" ] } ] }
{ "imports": [ { "path": "gopkg.in/square/go-jose.v2", "symbols": [ "JSONWebEncryption.Decrypt", "JSONWebEncryption.DecryptMulti", "inflate" ] } ] }