CVE-2024-28122 MEDIUM

CVE-2024-28122: JWX vulnerable to a denial of service attack using compressed JWE message

Vendor Lestrrat-Go
Product jwx
Weakness CWE-400
Published March 9, 2024
Last update April 16, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.

Key dates

02Disclosure timeline

March 9, 2024 CVE published
April 16, 2025 Record updated