JWK Set Go Library Caching Vulnerability Allowing Key Injection

A vulnerability exists in the JWK Set Go implementation, specifically in versions 0.5.0 prior to 0.6.0. The issue arises in the HTTP client's local JWK Set cache, which fails to properly replace cached keys during refresh operations. Instead of removing or fully replacing outdated keys, the current method either overwrites or appends, creating a risk of using stale or revoked keys. This flaw is particularly concerning for applications that rely on the auto-caching HTTP client and treat key removal as an immediate revocation.

Impact

Exploitation of this vulnerability could lead to unauthorized use of JWKs, allowing attackers to inject or manipulate keys in the application's cache. This could facilitate signing or verification operations with revoked or invalid keys, potentially bypassing security controls that rely on JWK Set integrity.

Reproduction

To reproduce this vulnerability, use a Go project that includes the JWK Set library version 0.5.0 to 0.5.21. Implement the auto-caching HTTP client feature, and set the refresh interval to a value greater than zero. Once the client has refreshed the JWK Set, the cache will incorrectly retain old keys instead of removing them, creating a window of opportunity for exploitation.

Remediation

Upgrade the JWK Set library to version 0.6.0 or later. If an immediate upgrade is not possible, remove the auto-caching HTTP client and replace it with a custom implementation that disables the refresh interval.