VYPR
Moderate severityNVD Advisory· Published Mar 9, 2024· Updated Feb 13, 2025

Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)

CVE-2024-28180

Description

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-jose/go-jose/v4Go
< 4.0.14.0.1
github.com/go-jose/go-jose/v3Go
< 3.0.33.0.3
gopkg.in/go-jose/go-jose.v2Go
< 2.6.32.6.3
gopkg.in/square/go-jose.v2Go
<= 2.6.0

Affected products

894

Patches

Vulnerability mechanics

References

24

News mentions

0

No linked articles in our index yet.