Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] #171

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] #171

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 25, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-jose/go-jose/v4 v4.0.4 -> v4.0.5 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-27144

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v4)

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file security labels Feb 25, 2025
@renovate renovate bot enabled auto-merge (squash) February 25, 2025 00:24
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 25, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: go.equinixmetal.net/[email protected]: reading go.equinixmetal.net/staff/go.mod at revision v0.42.0: git ls-remote -q origin in /runner/cache/others/go/pkg/mod/cache/vcs/d0cf6f6f81e2e59d60e16527856e0aaa54ae79106d49f76b4bf1ad67db6d5d42: exit status 128:
	remote: Repository not found.
	fatal: repository 'https://github.com/equinixmetal/go-staff/' not found

@renovate renovate bot changed the title fix(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] fix(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] - autoclosed Mar 3, 2025
@renovate renovate bot closed this Mar 3, 2025
auto-merge was automatically disabled March 3, 2025 08:37

Pull request was closed

@renovate renovate bot deleted the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch March 3, 2025 08:37
@renovate renovate bot changed the title fix(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] - autoclosed fix(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] Mar 3, 2025
@renovate renovate bot reopened this Mar 3, 2025
@renovate renovate bot force-pushed the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch from eb6b4a9 to 82699ec Compare March 3, 2025 13:43
@renovate renovate bot enabled auto-merge (squash) March 3, 2025 13:52
@renovate renovate bot force-pushed the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch from 82699ec to 2385b77 Compare March 3, 2025 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants