Skip to content

Version 4.0.1
Compare
Choose a tag to compare
@jsha jsha released this 07 Mar 19:47
· 8 commits to main since this release
v4.0.1
f4c051a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
    for reporting.

Contributors

chenjj and zer0yu
Assets 2