GO-2024-2632

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2024-2632
Import Source
https://vuln.go.dev/ID/GO-2024-2632.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2024-2632
Aliases
Published
2024-05-20T19:46:23Z
Modified
2024-05-20T20:13:53.953366Z
Summary
JWX vulnerable to a denial of service attack using compressed JWE message in github.com/lestrrat-go/jwx
Details

An attacker with a trusted public key may cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2632"
}
References

Affected packages

Go / github.com/lestrrat-go/jwx

Package

Name
github.com/lestrrat-go/jwx
View open source insights on deps.dev
Purl
pkg:golang/github.com/lestrrat-go/jwx

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.29

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/lestrrat-go/jwx/jwe",
            "symbols": [
                "Decrypt",
                "Message.Decrypt",
                "uncompress"
            ]
        }
    ]
}

Go / github.com/lestrrat-go/jwx/v2

Package

Name
github.com/lestrrat-go/jwx/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/lestrrat-go/jwx/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.21

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/lestrrat-go/jwx/v2/jwe",
            "symbols": [
                "Decrypt",
                "Settings",
                "decryptCtx.decryptContent",
                "uncompress"
            ]
        }
    ]
}