CVE-2024-28122

Published: Mar 9, 2024Modified: Dec 5, 2025

6.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Exploitability: 2.3 / Impact: 4.0

Source: security-advisories@github.com (Secondary)

Description

JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.

Affected (2)

Products: Lestrrat Go: Jwx

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Lestrrat Go Jwx	Before 1.2.29
Lestrrat Go Jwx	From 2.0.0 to 2.0.21

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (6)

https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29

Source: af854a3a-2127-422b-91ae-364da2661108

ProductRelease Notes

https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21

Source: af854a3a-2127-422b-91ae-364da2661108

ProductRelease Notes

https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.