View all vulnerabilities

CVE-2024-28180

Decompression bomb vulnerability in github.com/go-jose/go-jose

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
Score Vector
Affected Versions
github.com/go-jose/go-jose/v4 < 4.0.1; github.com/go-jose/go-jose/v3 < 3.0.3; gopkg.in/go-jose/go-jose.v2 < 2.6.3
Severity
Ecosystem
GO
Publish Date
March 15, 2024
Modified Date
October 22, 2024