CVE-2024-28122
Severity CVSS v4.0:
Pending analysis
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
09/03/2024
Last modified:
05/12/2025
Description
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.
Impact
Base Score 3.x
6.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:* | 1.2.29 (excluding) | |
| cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.0.21 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29
- https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259
- https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29
- https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259