CVE-2024-28180— Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-28180
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对高度压缩数据的处理不恰当(数据放大攻击)
Source: NVD (National Vulnerability Database)
Vulnerability Title
jose 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
jose是用于 JSON 对象签名和加密的 JavaScript 模块。 jose 4.0.1之前、3.0.3之前、2.6.3之前版本存在安全漏洞,该漏洞源于攻击者可以发送包含压缩数据的 JWE,这些数据在通过 Decrypt 或 DecryptMulti 解压缩时会使用大量内存和 CPU。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-28180
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-28180
请登录查看更多情报信息。
- https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6gx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-28180
IV. Related Vulnerabilities
Same weakness: CWE-409
- CVE-2026-43970
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhau - CVE-2026-44432
urllib3: Decompression-bomb safeguards bypassed in parts of - CVE-2026-42886
Audiobookshelf: Memory amplification DoS via oversized compr - CVE-2026-27460
Tandoor Recipes Affected by Denial of Service via Recipe Imp - CVE-2026-40148
PraisonAI Affected by Decompression Bomb DoS via Recipe Bund
V. Comments for CVE-2024-28180
No comments yet