Vulnerability Database

317,107

Total vulnerabilities in the database

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Published: Nov 21, 2023
Updated: Nov 22, 2023
GHSA: GHSA-2c7c-3mj9-8fqh
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
github.com/go-jose/go-jose/v3	-	3.0.1
github.com/square/go-jose	-	2.6.2

https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
https://github.com/go-jose/go-jose/commit/a3d307244c3bc50b25a71aa0688764c32ec419c7
https://github.com/go-jose/go-jose/issues/64

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo