CVE-2024-21664

Name of the Vulnerable Software and Affected Versions jwx versions prior to 1.2.28 jwx versions prior to 2.0.19

Description The issue arises when calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent, leading to a nil pointer dereference. This can be used to crash or perform a denial-of-service (DOS) attack on a system doing JWS verification. The vulnerability affects other functions that call Parse internally, such as jws.Verify. These functions are supposed to fail gracefully on invalid input and do not require prior validation. The problem occurs because the processing done in jws/message.go:UnmarshalJSON() assumes that if a signature field is present, then a protected field is also present. If this is not the case, the subsequent call to getB64Value(sig.protected) will dereference sig.protected, which is nil.

Recommendations For versions prior to 1.2.28, update to version 1.2.28 or later. For versions prior to 2.0.19, update to version 2.0.19 or later. As a temporary workaround, consider validating the input to ensure that the protected field is present when the signature field is present, before calling jws.Parse.