Skip to main content

Improper Handling of Highly Compressed Data (Data Amplification)

CVE-2024-28180

Severity Medium
Score 4.3/10

Summary

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An Improper Handling of Highly Compressed Data (Data Amplification) vulnerability present in github.com/go-jose/go-jose package versions prior to 2.6.3, 3.x prior to 3.0.3, and 4.x prior to 4.0.1. By using this flaw, an attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by "Decrypt" or "DecryptMulti". Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger).

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • NONE
  • LOW

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Advisory Timeline

  • Published