Skip to content
This repository was archived by the owner on Oct 31, 2025. It is now read-only.

fix(deps): Update module github.com/go-jose/go-jose/v4 to v4.0.5 [SECURITY] #6

Merged
merged 1 commit into from
Sep 30, 2025
Merged

fix(deps): Update module github.com/go-jose/go-jose/v4 to v4.0.5 [SECURITY] #6

merged 1 commit into from
Sep 30, 2025

Conversation

@cq-bot
Copy link

@cq-bot cq-bot commented Sep 30, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-jose/go-jose/v4 indirect patch v4.0.3 -> v4.0.5

GitHub Vulnerability Alerts

CVE-2025-27144

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v4)

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4: Version 4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a breaking change. See #​136 / #​137.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Add to automerge PRs once requirements are met security labels Sep 30, 2025
@cq-bot
Copy link
Author

cq-bot commented Sep 30, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/stretchr/testify v1.9.0 -> v1.10.0

@cq-bot cq-bot force-pushed the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch from 8aed0df to dd65ec1 Compare September 30, 2025 13:31
@erezrokah erezrokah merged commit 59facec into cqmain Sep 30, 2025
5 of 7 checks passed
@cq-bot cq-bot deleted the renovate/go-github.com-go-jose-go-jose-v4-vulnerability branch September 30, 2025 14:22
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

automerge Add to automerge PRs once requirements are met security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cq-bot @erezrokah