Security: Update dependencies to fix CVE-2025-63811 in jose2go #170
Description
Summary
Security vulnerability CVE-2025-63811 in transitive dependency jose2go (via gosnowflake → 99designs/keyring) requires updating to jose2go v1.8.0.
Vulnerability Details
- CVE: CVE-2025-63811
- Package: github.com/dvsekhvalnov/jose2go
- Affected Versions: v1.5.0 through v1.7.0
- Severity: Medium (DoS)
- Type: Denial of Service via JWT bomb attack
Dependency Chain
vault-plugin-database-snowflake
└─ github.com/snowflakedb/gosnowflake
└─ github.com/99designs/keyring
└─ github.com/dvsekhvalnov/jose2go v1.5.0 (VULNERABLE)
Attack Vector
An attacker can craft malicious JSON Web Encryption (JWE) tokens with exceptionally high compression ratios, causing memory exhaustion and denial of service when processed.
Fix Available
A pull request has been submitted to 99designs/keyring to update jose2go from v1.5.0 to v1.8.0:
- keyring PR: fix: Update jose2go to v1.8.0 to address CVE-2025-63811 99designs/keyring#141
- gosnowflake Issue: SNOW-2855494: Security: Update keyring dependency to fix CVE-2025-63811 in jose2go snowflakedb/gosnowflake#1630
Recommended Actions
- Monitor the keyring PR for merge
- Monitor gosnowflake for dependency update
- Once gosnowflake releases with the patched keyring, update vault-plugin-database-snowflake's dependency
- Update
go.modto require the patched gosnowflake version
Testing
The jose2go v1.8.0 update has been tested with keyring and is fully backward compatible:
- ✅ No breaking changes
- ✅ All encryption/decryption operations work identically
- ✅ All tests pass
References
- CVE Details: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg2068478.html
- JWT Bomb Issue: [Vuln] JWT bomb Attack in decode function dvsekhvalnov/jose2go#33
- Debian Security: Bug#1120701
- jose2go v1.8.0 Release: https://github.com/dvsekhvalnov/jose2go/tree/v1.8.0
Impact
This vulnerability affects all HashiCorp Vault deployments using the Snowflake database plugin, which is used for:
- Snowflake database secret management
- Dynamic credential generation for Snowflake
- Vault-managed Snowflake authentication
Priority
Medium - While the impact is DoS (not data breach), the fix is simple with no breaking changes, making it low-risk to apply once available upstream.