VYPR
Medium severity4.3NVD Advisory· Published Jan 9, 2024· Updated Jun 17, 2026

CVE-2024-21664

CVE-2024-21664

Description

jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/lestrrat-go/jwxGo
>= 1.0.8, < 1.2.281.2.28
github.com/lestrrat-go/jwx/v2Go
< 2.0.192.0.19

Affected products

123

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.