x/vulndb: potential Go vuln in github.com/dvsekhvalnov/jose2go: GHSA-9mj6-hxhv-w67j #4123
Description
Advisory GHSA-9mj6-hxhv-w67j references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/dvsekhvalnov/jose2go |
Description:
An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.
References:
- ADVISORY: GHSA-9mj6-hxhv-w67j
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-63811
- FIX: dvsekhvalnov/jose2go@0a0673d
- REPORT: [Vuln] JWT bomb Attack in decode function dvsekhvalnov/jose2go#33
Cross references:
- github.com/dvsekhvalnov/jose2go appears in 1 other report(s):
- data/reports/GO-2023-2409.yaml (x/vulndb: potential Go vuln in jose2go #2409)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/dvsekhvalnov/jose2go
versions:
- fixed: 1.7.0
vulnerable_at: 1.6.0
summary: jose2go is vulnerable to a JWT bomb attack through its decode function in github.com/dvsekhvalnov/jose2go
cves:
- CVE-2025-63811
ghsas:
- GHSA-9mj6-hxhv-w67j
references:
- advisory: https://github.com/advisories/GHSA-9mj6-hxhv-w67j
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-63811
- fix: https://github.com/dvsekhvalnov/jose2go/commit/0a0673dd7f2820a446de5b04b9094b2291d77d5d
- report: https://github.com/dvsekhvalnov/jose2go/issues/33
source:
id: GHSA-9mj6-hxhv-w67j
created: 2025-11-14T22:01:19.932772834Z
review_status: UNREVIEWED