Browse all 3 CVE security advisories affecting go-jose. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Go-jose is a Go implementation of the JavaScript Object Signing and Encryption (JOSE) specifications, primarily used for cryptographic operations in web applications. Historically, it has been susceptible to remote code execution vulnerabilities due to insecure parsing of cryptographic tokens, as well as cross-site scripting flaws through improper input validation. The library has faced three CVEs, including critical issues allowing attackers to bypass authentication or execute arbitrary code via crafted JWT tokens. While not associated with any major public incidents, these vulnerabilities highlight risks in token handling and cryptographic implementation that could lead to complete system compromise if unpatched.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-34986 | Go JOSE affect by a panic in JWE decryption — go-joseCWE-248 | 7.5 | High | 2026-04-06 |
| CVE-2025-27144 | Go JOSE's Parsing Vulnerable to Denial of Service — go-joseCWE-770 | 7.5 | - | 2025-02-24 |
| CVE-2024-28180 | Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) — go-joseCWE-409 | 4.3 | Medium | 2024-03-09 |
This page lists every published CVE security advisory associated with go-jose. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.