PT-2024-2050 · Go Jose+8 · Go-Jose+8

Chenjj

Published

2024-03-07

Updated

2026-02-26

CVE-2024-28180

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions go-jose versions prior to 2.6.3 go-jose versions prior to 3.0.3 go-jose versions prior to 4.0.1

Description The issue is related to the incorrect handling of highly compressed input data in the go-jose package, which implements the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that uses large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti functions. These functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger).

Recommendations For versions prior to 2.6.3, update to version 2.6.3 or later. For versions prior to 3.0.3, update to version 3.0.3 or later. For versions prior to 4.0.1, update to version 4.0.1 or later. As a temporary workaround, consider restricting the use of the Decrypt and DecryptMulti functions until a patch is available.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409

Related Identifiers

ALSA-2024:2549

ALSA-2024:3254

ALSA-2024:3826

ALSA-2024:3827

ALSA-2024:3968

ALSA-2024_2549

ALSA-2024_3254

ALSA-2025_16880

ALT-PU-2024-12202

ALT-PU-2024-12410

ALT-PU-2024-8461

ALT-PU-2024-8463

ALT-PU-2024-8542

ALT-PU-2024-8544

ALT-PU-2024-8807

ALT-PU-2024-8809

ALT-PU-2024-9408

ALT-PU-2024-9897

AZL-35837

AZL-35839

AZL-35840

AZL-35842

AZL-35843

AZL-35844

AZL-35845

AZL-35849

AZL-35850

AZL-35855

AZL-35859

AZL-35860

AZL-35875

AZL-35877

AZL-35878

AZL-35879

AZL-35881

AZL-35882

AZL-35883

AZL-35887

AZL-35901

AZL-35904

AZL-38130

AZL-39600

AZL-39704

AZL-43831

AZL-44011

AZL-44373

AZL-45180

BDU:2024-01928

CESA-2024_3254

CESA-2024_3968

CVE-2024-28180

GHSA-C5Q2-7R4C-MV6G

GO-2024-2631

INFSA-2024_2549

INFSA-2024_3826

INFSA-2024_3827

INFSA-2024_3968

MGASA-2024-0343

OESA-2024-1472

OESA-2024-1473

OESA-2024-1474

OESA-2024-1644

OESA-2024-1645

OESA-2024-1701

OESA-2025-1687

OPENSUSE-SU-2024:13905-1

OPENSUSE-SU-2024:13952-1

OPENSUSE-SU-2024_3120-1

OPENSUSE-SU-2024_3151-1

OPENSUSE-SU-2024_3186-1

OPENSUSE-SU-2025:14618-1

OPENSUSE-SU-2025:14663-1

OPENSUSE-SU-2025:15305-1

OPENSUSE-SU-2025:15529-1

OPENSUSE-SU-2025_0066-1

OPENSUSE-SU-2025_0623-1

OPENSUSE-SU-2026:20279-1

OPENSUSE-SU-2026:20654-1

OPENSUSE-SU-2026:20730-1

RHSA-2024:1456

RHSA-2024:1563

RHSA-2024:1567

RHSA-2024:1574

RHSA-2024:2049

RHSA-2024:2054

RHSA-2024:2071

RHSA-2024:2549

RHSA-2024:2669

RHSA-2024:2672

RHSA-2024:2776

RHSA-2024:2784

RHSA-2024:2877

RHSA-2024:3254

RHSA-2024:3351

RHSA-2024:3826

RHSA-2024:3827

RHSA-2024:3968

RHSA-2024_2549

RHSA-2024_3254

RHSA-2024_3826

RHSA-2024_3827

RHSA-2024_3968

RLSA-2024:2549

RLSA-2024:3254

RLSA-2024:3826

RLSA-2024:3827

RLSA-2024:3968

SUSE-SU-2024:1987-1

SUSE-SU-2024:1987-2

SUSE-SU-2024:2754-1

SUSE-SU-2024:3120-1

SUSE-SU-2024:3151-1

SUSE-SU-2024:3186-1

SUSE-SU-2024_1987-1

SUSE-SU-2024_2754-1

SUSE-SU-2025:0066-1

SUSE-SU-2025:0622-1

SUSE-SU-2025:0623-1

SUSE-SU-2025:0624-1

SUSE-SU-2025:20019-1

SUSE-SU-2025_0066-1

SUSE-SU-2026:20550-1

Affected Products

Alt Linux

Almalinux

Centos

Debian

Red Hat

Red Os

Rocky Linux

Suse

Go-Jose

PT-2024-2050 · Go Jose+8 · Go-Jose+8

CVE-2024-28180

Weakness Enumeration

Related Identifiers

Affected Products

References · 246