dvsekhvalnov jose2go Denial-of-Service Vulnerability via High Compression JWE Tokens

A denial-of-service vulnerability has been identified in dvsekhvalnov jose2go versions 1.5.0 through 1.7.0. This issue allows an attacker to cause a DoS condition by sending a crafted JSON Web Encryption (JWE) token that has an exceptionally high compression ratio. When the server processes this token, it leads to significant memory usage and increased processing time during decompression, causing a DoS effect.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application becomes unresponsive or significantly slower due to excessive resource consumption.

Reproduction

The vulnerability can be reproduced by encrypting a payload with a high compression ratio using the 'A256GCM' encryption algorithm and the 'RSA_OAEP' key management algorithm. The compressed token is then decrypted with a private RSA key. This process can be automated with a Go program that measures the time taken to decode the token, demonstrating the impact of the vulnerability.

Remediation

Users are advised to update to dvsekhvalnov jose2go version 1.7.0, where this vulnerability has been fixed.