CGA-9vg5-h493-cxr7: Uncontrolled Resource Consumption vulnerability in v4 (Go)

What is CGA-9vg5-h493-cxr7 About?

This vulnerability in JWE processing allows an attacker to send compressed data that consumes excessive memory and CPU upon decompression. This leads to a denial-of-service condition by exhausting system resources. Exploitation is relatively straightforward by crafting a specially compressed JWE payload.

Affected Software

github.com/go-jose/go-jose/v4
- <4.0.1
github.com/go-jose/go-jose/v3
- <3.0.3
gopkg.in/go-jose/go-jose.v2
- <2.6.3
gopkg.in/square/go-jose.v2
- <=2.6.0

Technical Details

The vulnerability lies in the JWE (JSON Web Encryption) decryption process. When a JWE token containing compressed data is received, the decryption routine (e.g., Decrypt or DecryptMulti) attempts to decompress the payload. An attacker can craft a JWE where the compressed data is designed to inflate significantly upon decompression (e.g., using a zip bomb-like technique). This excessive decompression demand consumes disproportionately large amounts of system memory and CPU resources, causing the application to slow down or even crash due to resource exhaustion, leading to a denial-of-service condition.

What is the Impact of CGA-9vg5-h493-cxr7?

Successful exploitation may allow attackers to cause a denial-of-service by consuming excessive memory and CPU resources, rendering the application unresponsive.

What is the Exploitability of CGA-9vg5-h493-cxr7?

Exploitation is of low complexity. An attacker needs to craft a JWE token with a payload that, when decompressed, consumes vast amounts of resources. No authentication is typically required to send such a JWE if the application processes unauthenticated JWEs. Privilege requirements are minimal, only requiring standard network access to send the JWE. This is a remote attack vector. The primary risk factor is any application that accepts and decrypts JWE tokens from untrusted sources, especially if no limits are in place for the size of decompressed data. Such an attack can be easily repeated to maintain a denial-of-service state.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CGA-9vg5-h493-cxr7?

A Fix by Resolved Security Exists!

See how easy it is to remediate vulnerabilities in your open-source packages.

About the Fix from Resolved Security

The patch adds checks to the decompression logic to limit the size of decompressed data to no more than 250kB or 10x (for single) / 3x (for multi-recipient) the compressed size, whichever is larger. This fixes CVE-2024-28180 by preventing "zip bomb" attacks where specially crafted inputs decompress to extremely large amounts of data, potentially leading to denial of service.

Available Upgrade Options

github.com/go-jose/go-jose/v3
- <3.0.3 → Upgrade to 3.0.3
github.com/go-jose/go-jose/v4
- <4.0.1 → Upgrade to 4.0.1
gopkg.in/go-jose/go-jose.v2
- <2.6.3 → Upgrade to 2.6.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CGA-9vg5-h493-cxr7?

Similar Vulnerabilities: CVE-2022-37454 , CVE-2021-42340 , CVE-2018-10237 , CVE-2023-27532 , CVE-2020-1945

CGA-9vg5-h493-cxr7 Uncontrolled Resource Consumption vulnerability in v4 (Go)