| id: GO-2026-4945 |
| modules: |
| - module: github.com/go-jose/go-jose/v3 |
| versions: |
| - fixed: 3.0.5 |
| vulnerable_at: 3.0.4 |
| packages: |
| - package: github.com/go-jose/go-jose/v3 |
| - module: github.com/go-jose/go-jose/v4 |
| versions: |
| - fixed: 4.1.4 |
| vulnerable_at: 4.1.3 |
| packages: |
| - package: github.com/go-jose/go-jose/v4 |
| summary: Go JOSE Panics in JWE decryption in github.com/go-jose/go-jose |
| description: |- |
| The go-jose package is subject to a panic when decrypting certain |
| JSON Web Encryption (JWE) tokens. This occurs when an attacker can |
| provide a maliciously crafted JWE token that triggers an unhandled |
| exception during the decryption process, leading to a denial-of-service. |
| cves: |
| - CVE-2026-34986 |
| ghsas: |
| - GHSA-78h2-9frx-2jm8 |
| credits: |
| - Datadog's Security team |
| references: |
| - advisory: https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8 |
| - web: https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants |
| source: |
| id: GHSA-78h2-9frx-2jm8 |
| created: 2026-05-21T09:33:53.602773-04:00 |
| review_status: REVIEWED |
