The go-jose package is subject to a βbillion hashes attackβ causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/go-jose/go-jose/v3 | lt | 3.0.1 |