Source: golang-github-go-jose-go-jose.v3 X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for golang-github-go-jose-go-jose.v3. CVE-2026-34986[0]: | Go JOSE provides an implementation of the Javascript Object Signing | and Encryption set of standards in Go, including support for JSON | Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token | (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web | Encryption (JWE) object will panic if the alg field indicates a key | wrapping algorithm (one ending in KW, with the exception of | A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is | empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go | attempts to allocate a slice with a zero or negative length based on | the length of the encrypted_key. This code path is reachable from | ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() | followed by Decrypt() on the resulting object. Note that the parse | functions take a list of accepted key algorithms. If the accepted | key algorithms do not include any key wrapping algorithms, parsing | will fail and the application will be unaffected. This panic is also | reachable by calling cipher.KeyUnwrap() directly with any ciphertext | parameter less than 16 bytes long, but calling this function | directly is less common. Panics can lead to denial of service. This | vulnerability is fixed in 4.1.4 and 3.0.5. https://github.com/go-jose/go-jose/commit/0e59876635f3dbf46d7b5e97b52bb75a3f96e7d9 (v4.1.4) https://github.com/go-jose/go-jose/commit/02464163e1e891db85257cb8860978a1c0226016 (v3.0.5) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-34986 https://www.cve.org/CVERecord?id=CVE-2026-34986 Please adjust the affected versions in the BTS as needed.
