Skip to content

chore(deps): Update module github.com/go-jose/go-jose/v4 to v4.0.5 [SECURITY] #9318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 25, 2025
Merged

chore(deps): Update module github.com/go-jose/go-jose/v4 to v4.0.5 [SECURITY] #9318

merged 1 commit into from
Feb 25, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 24, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-27144

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v4)

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner February 24, 2025 22:55
@trunk-io Trunk.io
Copy link

trunk-io bot commented Feb 25, 2025
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@mangalaman93 mangalaman93 force-pushed the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch from 2db90f4 to 0eec6dc Compare February 25, 2025 18:51
@mangalaman93 mangalaman93 enabled auto-merge (squash) February 25, 2025 19:32
@mangalaman93 mangalaman93 merged commit 28b27a6 into main Feb 25, 2025
14 checks passed
@mangalaman93 mangalaman93 deleted the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch February 25, 2025 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mangalaman93 mangalaman93 mangalaman93 approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mangalaman93