CVE-2024-21664
Panic due to nil pointer dereference vulnerability in jwx (Go)
What is CVE-2024-21664 About?
This vulnerability is a nil pointer dereference issue in `github.com/lestrrat-go/jwx/v2`, which causes the application to panic. This directly leads to a denial-of-service condition because the program crashes. Exploiting this vulnerability is relatively easy if an attacker can provide input that triggers the dereference.
Affected Software
- github.com/lestrrat-go/jwx
- >1.0.8, <1.2.28
- github.com/lestrrat-go/jwx/v2
- <2.0.19
Technical Details
The vulnerability occurs in the github.com/lestrrat-go/jwx/v2 library, specifically when processing certain data structures or inputs. A code path exists where a pointer is expected to hold a valid memory address but instead contains a 'nil' value. When the program attempts to access the memory location pointed to by this nil pointer (a dereference operation), it triggers a runtime panic. This unhandled error causes the application to terminate unexpectedly, leading to a denial-of-service condition for any service relying on this library.
What is the Impact of CVE-2024-21664?
Successful exploitation may allow attackers to cause a denial-of-service, crashing the application and rendering it unavailable.
What is the Exploitability of CVE-2024-21664?
Exploitation complexity is generally low to moderate. An attacker needs to provide input that, when processed by the github.com/lestrrat-go/jwx/v2 library, causes a specific nil pointer to be dereferenced. Authentication requirements depend on whether the vulnerable code path can be reached by unauthenticated users; typically, if the application processes external input, it can be a remote attack. There are no specific privilege requirements beyond submitting the malicious input. This attack is usually remote and leads to a crash, which is easily repeatable. The risk increases if the application processes untrusted JWTs or other cryptographic objects where this library is used.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21664?
Available Upgrade Options
- github.com/lestrrat-go/jwx/v2
- <2.0.19 → Upgrade to 2.0.19
- github.com/lestrrat-go/jwx
- >1.0.8, <1.2.28 → Upgrade to 1.2.28
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd
- https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd
- https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd
- https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3
- https://osv.dev/vulnerability/GHSA-pvcr-v8j8-j5q3
- https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f
- https://github.com/lestrrat-go/jwx
- https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65
- https://nvd.nist.gov/vuln/detail/CVE-2024-21664
What are Similar Vulnerabilities to CVE-2024-21664?
Similar Vulnerabilities: CVE-2021-44716 , CVE-2020-10708 , CVE-2019-11234 , CVE-2023-48795 , CVE-2023-45288
