Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update module github.com/go-jose/go-jose/v4 to v4.0.5 [SECURITY] #86

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update module github.com/go-jose/go-jose/v4 to v4.0.5 [SECURITY] #86

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 3, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-jose/go-jose/v4 v4.0.2 -> v4.0.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-27144

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v4)

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
    breaking change. See #​136 / #​137.

v4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) March 3, 2025 14:19
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Mar 3, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
golang.org/x/crypto v0.31.0 -> v0.32.0
golang.org/x/sys v0.28.0 -> v0.29.0

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants