[SIRT-1753] Bump go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)#360
Merged
Conversation
Addresses CVE-2026-34986 (JWE KeyUnwrap panic / DoS in go-jose) by bumping the transitive dependency from v3.0.4 to v3.0.5. The CVE is not exploitable in this driver — the vulnerable JWE parse/decrypt path in go-jose is never reached; go-jose is only pulled in indirectly via coreos/go-oidc, which the driver uses solely for OIDC provider discovery. The bump is to satisfy SCA scanners. CVE-2026-41602 (apache/thrift TFramedTransport integer overflow) is also reported by SIRT-1753 but is intentionally NOT addressed here: - The fix only lands in apache/thrift v0.23.0, which requires Go 1.25. - This module is pinned to Go 1.20; bumping the go directive would be a breaking change for downstream consumers building against earlier Go toolchains. - The vulnerable TFramedTransport is not reachable: the driver only uses THttpClient (see internal/client/client.go and config defaults). The non-exploitability of CVE-2026-41602 will be communicated to SIRT separately rather than via a forced toolchain bump. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
vikrantpuppala
force-pushed
the
sirt-1753-bump-vulnerable-deps
branch
from
1938f72 to
dde8945
Compare
gopalldb
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses SIRT-1753 by bumping the transitive
github.com/go-jose/go-jose/v3dependency fromv3.0.4tov3.0.5, which patches CVE-2026-34986 (JWEKeyUnwrappanic → DoS).go-joseis an indirect dependency pulled in viacoreos/go-oidc/v3.ParseEncrypted*→Decrypt) is never reached by this driver —go-oidcis used only for OIDC provider discovery (fetching.well-known/openid-configuration).Scope note: CVE-2026-41602 (apache/thrift) is intentionally not included
SIRT-1753 also flags
github.com/apache/thrift v0.17.0for CVE-2026-41602 (TFramedTransport integer overflow). This PR does not bump thrift, for two reasons:apache/thrift v0.23.0, which requires Go 1.25. This module'sgo.modis pinned togo 1.20. Bumping the go directive to 1.25 would force every downstream consumer on Go 1.20–1.24 to upgrade their build toolchain — a breaking change inappropriate for a security patch release.THttpClient(seeinternal/client/client.go:283and the hardcodedThriftTransport: "http"default ininternal/config/config.go).TFramedTransportis never instantiated — there is no code path, even a fallback, that constructs it.The non-exploitability of CVE-2026-41602 will be communicated back to SIRT (VEX / suppression) rather than addressed via a toolchain bump. We can revisit when the driver's Go floor moves as part of a planned, communicated minor release.
Test plan
go build ./...— cleango test ./...— all packages passThis pull request and its description were written by Isaac.