From a47013ff3c932d0f32efb3b883c83452be9c9bc3 Mon Sep 17 00:00:00 2001 From: Poupapaa <3238986+poupapaa@users.noreply.github.com> Date: Thu, 20 Nov 2025 11:50:29 +0100 Subject: [PATCH] fix: Update jose2go to v1.8.0 to address CVE-2025-63811 CVE-2025-63811 is a DoS vulnerability affecting jose2go versions 1.5.0 through 1.7.0. The vulnerability allows an attacker to cause a denial of service via crafted JSON Web Encryption (JWE) tokens with exceptionally high compression ratios (JWT bomb attack). Changes: - Update github.com/dvsekhvalnov/jose2go from v1.5.0 to v1.8.0 - v1.8.0 adds RSA-OAEP-384 and RSA-OAEP-512 support - No breaking changes - fully backward compatible - All existing file keyring encryption/decryption continues to work Security: - Resolves CVE-2025-63811 (DoS via JWT bomb) - v1.7.0 introduced 250KB decompression limit - v1.8.0 includes additional security improvements Testing: - All file keyring tests pass successfully - Encryption/decryption operations verified - No API changes required Fixes: CVE-2025-63811 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a9ebba4..26d43ad 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 github.com/danieljoos/wincred v1.1.2 - github.com/dvsekhvalnov/jose2go v1.5.0 + github.com/dvsekhvalnov/jose2go v1.8.0 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c github.com/mtibben/percent v0.2.1 diff --git a/go.sum b/go.sum index b7726bf..2dca697 100644 --- a/go.sum +++ b/go.sum @@ -5,8 +5,8 @@ github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dvsekhvalnov/jose2go v1.5.0 h1:3j8ya4Z4kMCwT5nXIKFSV84YS+HdqSSO0VsTQxaLAeM= -github.com/dvsekhvalnov/jose2go v1.5.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU= +github.com/dvsekhvalnov/jose2go v1.8.0 h1:LqkkVKAlHFfH9LOEl5fe4p/zL02OhWE7pCufMBG2jLA= +github.com/dvsekhvalnov/jose2go v1.8.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU= github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0= github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4= github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=