You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore(deps): Update module github.com/go-jose/go-jose/v4 to v4.1.4 [SECURITY] (#5982)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/go-jose/go-jose/v4](https://redirect.github.com/go-jose/go-jose)
| `v4.1.3` → `v4.1.4` |
|
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/4569) for more information.
### GitHub Vulnerability Alerts
####
[CVE-2026-34986](https://redirect.github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8)
### Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the `alg`
field indicates a key wrapping algorithm ([one ending in
`KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants),
with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the
`encrypted_key` field is empty. The panic happens when
`cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with
a zero or negative length based on the length of the `encrypted_key`.
This code path is reachable from `ParseEncrypted()` /
`ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by
`Decrypt()` on the resulting object. Note that the parse functions take
a list of accepted key algorithms. If the accepted key algorithms do not
include any key wrapping algorithms, parsing will fail and the
application will be unaffected.
This panic is also reachable by calling `cipher.KeyUnwrap()` directly
with any `ciphertext` parameter less than 16 bytes long, but calling
this function directly is less common.
Panics can lead to denial of service.
### Fixed In
4.1.4 and v3.0.5
### Workarounds
If the list of `keyAlgorithms` passed to `ParseEncrypted()` /
`ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key
wrapping algorithms (those ending in `KW`), your application is
unaffected.
If your application uses key wrapping, you can prevalidate to the JWE
objects to ensure the `encrypted_key` field is nonempty. If your
application accepts JWE Compact Serialization, apply that validation to
the corresponding field of that serialization (the data between the
first and second `.`).
### Thanks
Go JOSE thanks Datadog's Security team for finding this issue.
---
### Go JOSE Panics in JWE decryption
[CVE-2026-34986](https://nvd.nist.gov/vuln/detail/CVE-2026-34986) /
[GHSA-78h2-9frx-2jm8](https://redirect.github.com/advisories/GHSA-78h2-9frx-2jm8)
<details>
<summary>More information</summary>
#### Details
##### Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the `alg`
field indicates a key wrapping algorithm ([one ending in
`KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants),
with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the
`encrypted_key` field is empty. The panic happens when
`cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with
a zero or negative length based on the length of the `encrypted_key`.
This code path is reachable from `ParseEncrypted()` /
`ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by
`Decrypt()` on the resulting object. Note that the parse functions take
a list of accepted key algorithms. If the accepted key algorithms do not
include any key wrapping algorithms, parsing will fail and the
application will be unaffected.
This panic is also reachable by calling `cipher.KeyUnwrap()` directly
with any `ciphertext` parameter less than 16 bytes long, but calling
this function directly is less common.
Panics can lead to denial of service.
##### Fixed In
4.1.4 and v3.0.5
##### Workarounds
If the list of `keyAlgorithms` passed to `ParseEncrypted()` /
`ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key
wrapping algorithms (those ending in `KW`), your application is
unaffected.
If your application uses key wrapping, you can prevalidate to the JWE
objects to ensure the `encrypted_key` field is nonempty. If your
application accepts JWE Compact Serialization, apply that validation to
the corresponding field of that serialization (the data between the
first and second `.`).
##### Thanks
Go JOSE thanks Datadog's Security team for finding this issue.
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
#### References
-
[https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8](https://redirect.github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8)
-
[https://github.com/go-jose/go-jose](https://redirect.github.com/go-jose/go-jose)
-
[https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-78h2-9frx-2jm8) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>go-jose/go-jose (github.com/go-jose/go-jose/v4)</summary>
###
[`v4.1.4`](https://redirect.github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)
[Compare
Source](https://redirect.github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
## Need help?
You can ask for more help in the following Slack channel:
#proj-renovate-self-hosted. In that channel you can also find ADR and
FAQ docs in the Resources section.
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlLXNlY3VyaXR5LXVwZGF0ZSIsInNldmVyaXR5OkhJR0giLCJ1cGRhdGUtcGF0Y2giXX0=-->
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
![renovate-sh-app[bot]](https://avatars.githubusercontent.com/u/7195757?v=4&size=40){kind=avatar}
0 commit comments