CVE-2024-28180
Uncontrolled Resource Consumption vulnerability in v4 (Go)

Uncontrolled Resource Consumption No known exploit Fixable By Resolved Security

What is CVE-2024-28180 About?

This vulnerability in JWE processing allows an attacker to send compressed data that consumes excessive memory and CPU upon decompression. This leads to a denial-of-service condition by exhausting system resources. Exploitation is relatively straightforward by crafting a specially compressed JWE payload.

Affected Software

  • github.com/go-jose/go-jose/v4
    • <4.0.1
  • github.com/go-jose/go-jose/v3
    • <3.0.3
  • gopkg.in/go-jose/go-jose.v2
    • <2.6.3
  • gopkg.in/square/go-jose.v2
    • <=2.6.0

Technical Details

The vulnerability lies in the JWE (JSON Web Encryption) decryption process. When a JWE token containing compressed data is received, the decryption routine (e.g., Decrypt or DecryptMulti) attempts to decompress the payload. An attacker can craft a JWE where the compressed data is designed to inflate significantly upon decompression (e.g., using a zip bomb-like technique). This excessive decompression demand consumes disproportionately large amounts of system memory and CPU resources, causing the application to slow down or even crash due to resource exhaustion, leading to a denial-of-service condition.

What is the Impact of CVE-2024-28180?

Successful exploitation may allow attackers to cause a denial-of-service by consuming excessive memory and CPU resources, rendering the application unresponsive.

What is the Exploitability of CVE-2024-28180?

Exploitation is of low complexity. An attacker needs to craft a JWE token with a payload that, when decompressed, consumes vast amounts of resources. No authentication is typically required to send such a JWE if the application processes unauthenticated JWEs. Privilege requirements are minimal, only requiring standard network access to send the JWE. This is a remote attack vector. The primary risk factor is any application that accepts and decrypts JWE tokens from untrusted sources, especially if no limits are in place for the size of decompressed data. Such an attack can be easily repeated to maintain a denial-of-service state.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-28180?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch adds checks to the decompression logic to limit the size of decompressed data to no more than 250kB or 10x (for single) / 3x (for multi-recipient) the compressed size, whichever is larger. This fixes CVE-2024-28180 by preventing "zip bomb" attacks where specially crafted inputs decompress to extremely large amounts of data, potentially leading to denial of service.

Available Upgrade Options

  • github.com/go-jose/go-jose/v3
    • <3.0.3 → Upgrade to 3.0.3
  • github.com/go-jose/go-jose/v4
    • <4.0.1 → Upgrade to 4.0.1
  • gopkg.in/go-jose/go-jose.v2
    • <2.6.3 → Upgrade to 2.6.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-28180?

Similar Vulnerabilities: CVE-2022-37454 , CVE-2021-42340 , CVE-2018-10237 , CVE-2023-27532 , CVE-2020-1945

All Rights reserved 2025
Privacy Policy