/
DirectorySecurity AdvisoriesPricing
Sign In
Security Advisories

GHSA-2c7c-3mj9-8fqh

Published

Last updated

https://github.com/advisories/GHSA-2c7c-3mj9-8fqh

Severity

Unknown

Summary

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

Description

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

References

  • https://github.com/advisories/GHSA-2c7c-3mj9-8fqh
  • https://github.com/go-jose/go-jose/issues/64
  • https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
  • https://github.com/go-jose/go-jose/commit/a3d307244c3bc50b25a71aa0688764c32ec419c7
  • https://github.com/go-jose/go-jose

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

FedRAMPPCICVE RemediationGolden Images

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegalScanner Partners

Resources

Unchained BlogEventsTrust CenterDocumentation