Rohitkoul

**Name of the Vulnerable Software and Affected Versions** JWK Set versions prior to 0.6.0 **Description** The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. However, the current behavior is to overwrite or append, which is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. An example attack scenario involves an attacker using a stolen private key to sign content after the key has been removed from the JWK Set. **Recommendations** For versions prior to 0.6.0, upgrade to version 0.6.0 or later to resolve the issue. As a temporary workaround, consider removing the provided auto-caching HTTP client and replacing it with a custom implementation by setting the `HTTPClientStorageOptions.RefreshInterval` to zero (or not specifying the value).