/
DirectorySecurity AdvisoriesPricing
Sign In
Security Advisories

GHSA-2c7c-3mj9-8fqh

Published

Last updated

https://github.com/advisories/GHSA-2c7c-3mj9-8fqh

Severity

Unknown

Summary

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

Description

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

References

  • https://github.com/advisories/GHSA-2c7c-3mj9-8fqh

Affected packages


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs