On Tue, Apr 07, 2026 at 09:48:15AM +0200, Greg Kroah-Hartman wrote: > Subject: [PATCH 10/10] BUG: jwe: fix memory leak in jwt_decrypt_secret with > var argument > When the secret argument to jwt_decrypt_secret is a variable > (ARGT_VAR) rather than a literal string, alloc_trash_chunk() is > called to hold the base64-decoded secret but the buffer is never > released. The end: label frees input, decrypted_cek, out, and the > decoded_items array but not secret. > > Each request leaks one trash chunk (~tune.bufsize, default 16KB). > At ~65000 requests per GiB this allows slow memory exhaustion DoS > against any config of the form: > > http-request set-var(txn.x) req.hdr(...),jwt_decrypt_secret(txn.key) > > This must be backported as far as JWE support exists.
Merged as a BUG/MEDIUM, thanks! -- William Lallemand
