Medium severity4.3NVD Advisory· Published Jan 9, 2024· Updated Jun 17, 2026
CVE-2024-21664
CVE-2024-21664
Description
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lestrrat-go/jwxGo | >= 1.0.8, < 1.2.28 | 1.2.28 |
github.com/lestrrat-go/jwx/v2Go | < 2.0.19 | 2.0.19 |
Affected products
123- osv-coords122 versionspkg:apk/chainguard/boring-registrypkg:apk/chainguard/cosign-fipspkg:apk/chainguard/external-secrets-0.7pkg:apk/chainguard/external-secrets-0.7-compatpkg:apk/chainguard/external-secrets-fipspkg:apk/chainguard/external-secrets-operatorpkg:apk/chainguard/falcopkg:apk/chainguard/falcoctlpkg:apk/chainguard/falcoctl-fipspkg:apk/chainguard/falco-devpkg:apk/chainguard/falco-srcpkg:apk/chainguard/gitsignpkg:apk/chainguard/gitsign-configpkg:apk/chainguard/gitsign-credential-cachepkg:apk/chainguard/istio-cni-1.19pkg:apk/chainguard/istio-cni-1.19-compatpkg:apk/chainguard/istio-cni-1.20pkg:apk/chainguard/istio-cni-1.20-compatpkg:apk/chainguard/istio-cni-fips-1.19pkg:apk/chainguard/istio-cni-fips-1.19-compatpkg:apk/chainguard/istio-install-cni-1.19pkg:apk/chainguard/istio-install-cni-1.19-compatpkg:apk/chainguard/istio-install-cni-1.20pkg:apk/chainguard/istio-install-cni-1.20-compatpkg:apk/chainguard/istio-install-cni-fips-1.19pkg:apk/chainguard/istio-install-cni-fips-1.19-compatpkg:apk/chainguard/istio-operator-1.19pkg:apk/chainguard/istio-operator-1.20pkg:apk/chainguard/istio-operator-fips-1.19pkg:apk/chainguard/istio-pilot-agent-1.18pkg:apk/chainguard/istio-pilot-agent-1.18-compatpkg:apk/chainguard/istio-pilot-agent-1.19pkg:apk/chainguard/istio-pilot-agent-1.19-compatpkg:apk/chainguard/istio-pilot-agent-1.20pkg:apk/chainguard/istio-pilot-agent-1.20-compatpkg:apk/chainguard/istio-pilot-agent-fips-1.19pkg:apk/chainguard/istio-pilot-agent-fips-1.19-compatpkg:apk/chainguard/istio-pilot-discovery-1.18pkg:apk/chainguard/istio-pilot-discovery-1.18-compatpkg:apk/chainguard/istio-pilot-discovery-1.19pkg:apk/chainguard/istio-pilot-discovery-1.19-compatpkg:apk/chainguard/istio-pilot-discovery-1.20pkg:apk/chainguard/istio-pilot-discovery-1.20-compatpkg:apk/chainguard/istio-pilot-discovery-fips-1.19pkg:apk/chainguard/istio-pilot-discovery-fips-1.19-compatpkg:apk/chainguard/kubescapepkg:apk/chainguard/kyvernopkg:apk/chainguard/kyverno-background-controllerpkg:apk/chainguard/kyverno-cleanup-controllerpkg:apk/chainguard/kyverno-clipkg:apk/chainguard/kyverno-init-containerpkg:apk/chainguard/kyverno-reports-controllerpkg:apk/chainguard/mcpkg:apk/chainguard/mc-bitnami-2024-compatpkg:apk/chainguard/mc-bitnami-2025-compatpkg:apk/chainguard/mc-iamguarded-2025-compatpkg:apk/chainguard/miniopkg:apk/chainguard/minio-bitnami-2024-compatpkg:apk/chainguard/minio-bitnami-2025-compatpkg:apk/chainguard/minio-iamguarded-2025-compatpkg:apk/chainguard/spire-agentpkg:apk/chainguard/spire-agent-fipspkg:apk/chainguard/spire-oidc-discovery-providerpkg:apk/chainguard/spire-oidc-discovery-provider-fipspkg:apk/chainguard/spire-serverpkg:apk/chainguard/spire-server-fipspkg:apk/chainguard/tekton-chainspkg:apk/chainguard/vexctlpkg:apk/wolfi/boring-registrypkg:apk/wolfi/cosign-fipspkg:apk/wolfi/external-secrets-operatorpkg:apk/wolfi/falcopkg:apk/wolfi/falcoctlpkg:apk/wolfi/falco-devpkg:apk/wolfi/falco-srcpkg:apk/wolfi/gitsignpkg:apk/wolfi/gitsign-configpkg:apk/wolfi/gitsign-credential-cachepkg:apk/wolfi/istio-cni-1.19pkg:apk/wolfi/istio-cni-1.19-compatpkg:apk/wolfi/istio-cni-1.20pkg:apk/wolfi/istio-cni-1.20-compatpkg:apk/wolfi/istio-install-cni-1.19pkg:apk/wolfi/istio-install-cni-1.19-compatpkg:apk/wolfi/istio-install-cni-1.20pkg:apk/wolfi/istio-install-cni-1.20-compatpkg:apk/wolfi/istio-operator-1.19pkg:apk/wolfi/istio-operator-1.20pkg:apk/wolfi/istio-pilot-agent-1.18pkg:apk/wolfi/istio-pilot-agent-1.18-compatpkg:apk/wolfi/istio-pilot-agent-1.19pkg:apk/wolfi/istio-pilot-agent-1.19-compatpkg:apk/wolfi/istio-pilot-agent-1.20pkg:apk/wolfi/istio-pilot-agent-1.20-compatpkg:apk/wolfi/istio-pilot-discovery-1.18pkg:apk/wolfi/istio-pilot-discovery-1.18-compatpkg:apk/wolfi/istio-pilot-discovery-1.19pkg:apk/wolfi/istio-pilot-discovery-1.19-compatpkg:apk/wolfi/istio-pilot-discovery-1.20pkg:apk/wolfi/istio-pilot-discovery-1.20-compatpkg:apk/wolfi/kubescapepkg:apk/wolfi/kyvernopkg:apk/wolfi/kyverno-background-controllerpkg:apk/wolfi/kyverno-cleanup-controllerpkg:apk/wolfi/kyverno-clipkg:apk/wolfi/kyverno-init-containerpkg:apk/wolfi/kyverno-reports-controllerpkg:apk/wolfi/mcpkg:apk/wolfi/mc-bitnami-2024-compatpkg:apk/wolfi/mc-bitnami-2025-compatpkg:apk/wolfi/mc-iamguarded-2025-compatpkg:apk/wolfi/miniopkg:apk/wolfi/minio-bitnami-2024-compatpkg:apk/wolfi/minio-bitnami-2025-compatpkg:apk/wolfi/minio-iamguarded-2025-compatpkg:apk/wolfi/spire-agentpkg:apk/wolfi/spire-oidc-discovery-providerpkg:apk/wolfi/spire-serverpkg:apk/wolfi/tekton-chainspkg:apk/wolfi/vexctlpkg:golang/github.com/lestrrat-go/jwxpkg:golang/github.com/lestrrat-go/jwx/v2
< 0.12.1-r0+ 121 more
- (no CPE)range: < 0.12.1-r0
- (no CPE)range: < 2.2.2-r1
- (no CPE)range: < 0.7.1-r8
- (no CPE)range: < 0.7.1-r8
- (no CPE)range: < 0.9.11-r1
- (no CPE)range: < 0.9.11-r1
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.7.1-r1
- (no CPE)range: < 0.7.1-r1
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 3.0.3-r4
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 0.19.0-r6
- (no CPE)range: < 0.2.6-r0
- (no CPE)range: < 0.12.1-r0
- (no CPE)range: < 2.2.2-r1
- (no CPE)range: < 0.9.11-r1
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.7.1-r1
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 0.8.1-r0
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.18.7-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.19.6-r2
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 1.20.2-r3
- (no CPE)range: < 3.0.3-r4
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 1.11.4-r1
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.071422-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 0.20231220.010002-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 1.8.7-r2
- (no CPE)range: < 0.19.0-r6
- (no CPE)range: < 0.2.6-r0
- (no CPE)range: >= 1.0.8, < 1.2.28
- (no CPE)range: < 2.0.19
- Range: >= 2.0.0, < 2.0.19
Patches
Vulnerability mechanics
References
6- github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601fnvdPatchWEB
- github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcdnvdPatchWEB
- github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-pvcr-v8j8-j5q3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21664ghsaADVISORY
- github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65nvdWEB
News mentions
0No linked articles in our index yet.