Frestr

**Name of the Vulnerable Software and Affected Versions** jwx versions prior to 1.2.28 jwx versions prior to 2.0.19 **Description** The issue arises when calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent, leading to a nil pointer dereference. This can be used to crash or perform a denial-of-service (DOS) attack on a system doing JWS verification. The vulnerability affects other functions that call `Parse` internally, such as `jws.Verify`. These functions are supposed to fail gracefully on invalid input and do not require prior validation. The problem occurs because the processing done in `jws/message.go:UnmarshalJSON()` assumes that if a `signature` field is present, then a `protected` field is also present. If this is not the case, the subsequent call to `getB64Value(sig.protected)` will dereference `sig.protected`, which is `nil`. **Recommendations** For versions prior to 1.2.28, update to version 1.2.28 or later. For versions prior to 2.0.19, update to version 2.0.19 or later. As a temporary workaround, consider validating the input to ensure that the `protected` field is present when the `signature` field is present, before calling `jws.Parse`.