Go JOSE Denial-of-Service Vulnerability in JWS and JWE Parsing

A denial-of-service vulnerability has been identified in the Go JOSE library, specifically in versions 4.x prior to 4.0.5. The issue arises when the library parses compact JSON Web Signature (JWS) or JSON Web Encryption (JWE) inputs. The vulnerability is caused by the use of 'strings.Split' to separate JWT tokens, which can lead to excessive memory consumption when handling tokens that are maliciously crafted with a high number of '.' characters. An attacker could exploit this behavior by sending numerous malformed tokens, causing memory exhaustion and disrupting service.

Impact

Exploitation of this vulnerability leads to excessive memory usage, causing memory exhaustion and a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending compact JWS or JWE tokens that contain an excessive number of '.' characters. The Go JOSE library will process these tokens in a way that consumes a large amount of memory, leading to memory exhaustion.

Remediation

Users can upgrade to Go JOSE version 4.0.5 or later, which addresses this vulnerability. As an additional measure, applications can pre-validate that tokens do not contain an excessive number of '.' characters.