fix: Update jose2go to v1.8.0 to address CVE-2025-63811#141
Open
poupapaa wants to merge 1 commit into99designs:masterfrom
Open
fix: Update jose2go to v1.8.0 to address CVE-2025-63811#141poupapaa wants to merge 1 commit into99designs:masterfrom
poupapaa wants to merge 1 commit into99designs:masterfrom
Conversation
CVE-2025-63811 is a DoS vulnerability affecting jose2go versions 1.5.0 through 1.7.0. The vulnerability allows an attacker to cause a denial of service via crafted JSON Web Encryption (JWE) tokens with exceptionally high compression ratios (JWT bomb attack). Changes: - Update github.com/dvsekhvalnov/jose2go from v1.5.0 to v1.8.0 - v1.8.0 adds RSA-OAEP-384 and RSA-OAEP-512 support - No breaking changes - fully backward compatible - All existing file keyring encryption/decryption continues to work Security: - Resolves CVE-2025-63811 (DoS via JWT bomb) - v1.7.0 introduced 250KB decompression limit - v1.8.0 includes additional security improvements Testing: - All file keyring tests pass successfully - Encryption/decryption operations verified - No API changes required Fixes: CVE-2025-63811
|
Merged in maintained fork: https://github.com/ByteNess/keyring/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVE-2025-63811 is a DoS vulnerability affecting jose2go versions 1.5.0 through 1.7.0. The vulnerability allows an attacker to cause a denial of service via crafted JSON Web Encryption (JWE) tokens with exceptionally high compression ratios (JWT bomb attack).
Changes:
Security:
Testing:
Fixes: CVE-2025-63811