/
DirectorySecurity AdvisoriesPricing
Sign in
Security Advisories

GHSA-mhpq-9638-x6pw

Published

Last updated

https://github.com/advisories/GHSA-mhpq-9638-x6pw

Severity

5.3

Medium

CVSS CVSS_V3

Summary

Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go

Description

An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

References

  • https://github.com/advisories/GHSA-mhpq-9638-x6pw
  • https://github.com/dvsekhvalnov/jose2go/issues/31
  • https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317
  • https://github.com/dvsekhvalnov/jose2go
  • https://www.blackhat.com/us-23/briefings/schedule/#three-new-attacks-against-json-web-tokens-31695

Affected packages

Safe Source for Open Sourceâ„¢
Contact us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSGolden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsChainguard CoursesDocumentationTrust Center

Company

About UsBlogPartnersNewsroomCareersLegal