CVE-2024-21664

A null pointer dereference vulnerability was found in the jwx/jws Go module. This issue arises when invoking "jws.Parse" with a JSON serialized payload containing a present signature field while the protected field is absentm, which may cause a system crash or initiate a denial of service DOS...

Null pointer dereference

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

Parsing JSON serialized payload without protected field can lead to segfault

Summary Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. Details This seems to also affect other functions that calls Parse internally, like jws.Verify. My understanding of these functions from t...