Skip to content

chore(deps): update module github.com/dvsekhvalnov/jose2go to v1.7.0 [security] #4858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 25, 2025
Merged

chore(deps): update module github.com/dvsekhvalnov/jose2go to v1.7.0 [security] #4858

merged 1 commit into from
Nov 25, 2025

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Nov 15, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/dvsekhvalnov/jose2go v1.6.0 -> v1.7.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-63811

An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

jose2go is vulnerable to a JWT bomb attack through its decode function

CVE-2025-63811 / GHSA-9mj6-hxhv-w67j / GO-2025-4123

More information

Details

An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token high compression ratio in github.com/dvsekhvalnov/jose2go

CVE-2025-63811 / GHSA-9mj6-hxhv-w67j / GO-2025-4123

More information

Details

Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token high compression ratio in github.com/dvsekhvalnov/jose2go

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

dvsekhvalnov/jose2go (github.com/dvsekhvalnov/jose2go)

v1.7.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner November 15, 2025 00:28
@github-actions
Copy link
Contributor

github-actions bot commented Nov 15, 2025
edited
Loading

🔍 Dependency Review

github.com/dvsekhvalnov/jose2go v1.6.0 -> v1.7.0 — ✅ Safe
  • Summary: This is a minor version bump of an indirect dependency for the JOSE (JWS/JWE) library. Reviewing the v1.6.0 to v1.7.0 range shows no public API changes that would require code modifications in consumers. No breaking changes were introduced in the exported surface.
  • Impact: As this package is indirect in your module graph, and given no API changes in this range, no code changes are required in your repository.

What to verify in your codebase (as a precaution):

  • If you interact with JOSE/JWT via a direct dependency that uses jose2go under the hood, run existing signing/encryption tests to confirm unchanged behavior, particularly:
    • JWS verification for RS256/ES256/HS256
    • JWE encrypt/decrypt for RSA-OAEP/AES-GCM
    • Custom/protected header handling

No code changes recommended.

Notes

  • Only one dependency changed, and it is indirect. No action needed beyond routine CI/test runs.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-dvsekhvalnov-jose2go-vulnerability branch 4 times, most recently from f523d57 to abb143f Compare November 18, 2025 00:31
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-dvsekhvalnov-jose2go-vulnerability branch 17 times, most recently from a48a6da to 0396cd5 Compare November 25, 2025 00:27
@renovate-sh-app
chore(deps): update module github.com/dvsekhvalnov/jose2go to v1.7.0 …
64aca2f 
…[security]

| datasource | package                         | from   | to     |
| ---------- | ------------------------------- | ------ | ------ |
| go         | github.com/dvsekhvalnov/jose2go | v1.6.0 | v1.7.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-dvsekhvalnov-jose2go-vulnerability branch from 0396cd5 to 64aca2f Compare November 25, 2025 15:43
@jharvey10 jharvey10 enabled auto-merge (squash) November 25, 2025 15:48
@jharvey10 jharvey10 merged commit 36babc2 into main Nov 25, 2025
43 checks passed
@jharvey10 jharvey10 deleted the renovate/go-github.com-dvsekhvalnov-jose2go-vulnerability branch November 25, 2025 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jharvey10 jharvey10 jharvey10 approved these changes

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jharvey10