Description
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Published: 2026-04-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

During JSON Web Encryption decryption, the library panics when a key wrapping algorithm is specified and the encrypted_key field is empty. The panic occurs inside cipher.KeyUnwrap(), which attempts to create a slice of zero or negative length based on the encrypted_key’s length. The crash of the application amounts to a denial of service. The weakness is rooted in improper bounds handling and invalid memory allocation (CWE‑131, CWE‑248).

Affected Systems

The issue affects the go‑jose implementation of JOSE for Go, specifically all releases prior to version 4.1.4 and 3.0.5. Any project importing go‑jose before these versions and performing JWE decryption with key wrapping algorithms and missing encrypted_key content is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. EPSS shows the likelihood of exploitation is less than 1% and the vulnerability is not listed in the CISA KEV catalog. An attacker could trigger the panic by supplying a crafted JWE token that specifies a key wrapping algorithm and an empty encrypted_key, or by providing a ciphertext under 16 bytes when calling KeyUnwrap directly. The attack would require that the library be exercised by the application, which is generally a local or user‑controlled input scenario. Once triggered the process will terminate, causing a denial of service. No publicly available exploit is known, but the low EPSS suggests that attacks would be opportunistic rather than widespread.

Generated by OpenCVE AI on April 7, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to go-jose v4.1.4 or later (v3.0.5 or newer).
  • If upgrading is not immediately possible, configure ParseEncrypted* functions to exclude key‑wrapping algorithms from the accepted list so that parsing fails before decryption.
  • Validate that the encrypted_key is non‑empty and that ciphertext length is at least 16 bytes before invoking decryption routines.

Generated by OpenCVE AI on April 7, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-78h2-9frx-2jm8 Go JOSE Panics in JWE decryption
History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

threat_severity

Important

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-jose
Go-jose go-jose
Vendors & Products Go-jose
Go-jose go-jose

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Title Go JOSE affect by a panic in JWE decryption
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Go-jose Go-jose
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:21:54.041Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34986

cve-icon Vulnrichment

Updated: 2026-04-07T14:21:49.130Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T17:17:11.870

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-34986

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-06T16:22:45Z

Links: CVE-2026-34986 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:50:41Z

Weaknesses