Github.Com Go-Jose Go-Jose vulnerabilities
2 known vulnerabilities affecting github.com/go-jose_go-jose.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2
Vulnerabilities
Page 1 of 1
CVE-2026-34986HIGH≥ 0, ≤ 2.6.32026-04-03
CVE-2026-34986 [HIGH] CWE-248 Go JOSE Panics in JWE decryption
Go JOSE Panics in JWE decryption
### Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slic
ghsaosv
CVE-2025-27144HIGHCVSS 7.5≥ 0, < 3.0.42025-02-24
CVE-2025-27144 [HIGH] CWE-400 DoS in go-jose Parsing
DoS in go-jose Parsing
### Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
### Patches
Versio
ghsaosv