{"id":"GO-2023-2409","summary":"Denial of service when decrypting attacker controlled input in github.com/dvsekhvalnov/jose2go","details":"An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.","aliases":["CVE-2023-50658","GHSA-6294-6rgp-fr7r","GHSA-mhpq-9638-x6pw"],"modified":"2026-03-17T04:49:04.765095Z","published":"2023-12-20T17:35:00Z","related":["CGA-rxp2-268p-j6pw"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-2409","review_status":"REVIEWED"},"references":[{"type":"WEB","url":"https://github.com/dvsekhvalnov/jose2go/issues/31"},{"type":"WEB","url":"https://www.blackhat.com/us-23/briefings/schedule/#three-new-attacks-against-json-web-tokens-31695"},{"type":"FIX","url":"https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317"}],"affected":[{"package":{"name":"github.com/dvsekhvalnov/jose2go","ecosystem":"Go","purl":"pkg:golang/github.com/dvsekhvalnov/jose2go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.5.1-0.20231206184617-48ba0b76bc88"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/dvsekhvalnov/jose2go","symbols":["Compress","Decode","DecodeBytes","Encrypt","EncryptBytes","Pbse2HmacAesKW.Unwrap","Pbse2HmacAesKW.WrapNewKey","decrypt","encrypt"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2409.json"}}],"schema_version":"1.7.5","credits":[{"name":"@mschwager"}]}