{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "2.0.0" }, { "fixed": "2.0.21" } ] }, "events": [ { "introduced": "8f97f606570bc3de90005ce3188824e7e7eff88a" }, { "fixed": "611d914efbccb0babbce54e48457070e12ab6498" } ], "repo": "https://github.com/lestrrat-go/jwx", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "1.2.0" }, { "fixed": "1.2.29" } ] }, "events": [ { "introduced": "20fcd2aaea33121a0da375914a254615b3527c46" }, { "fixed": "1025f8eec3bd80c8d8f1be8f9cad989a5b78fd4b" } ], "repo": "https://github.com/lestrrat-go/jwx", "type": "GIT" } ] } ], "aliases": [ "GHSA-hj3v-m684-v259" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-400" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28122.json" }, "details": " JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.", "id": "CVE-2024-28122", "modified": "2026-04-01T23:09:16.478516522Z", "published": "2024-03-09T00:45:50.129Z", "references": [ { "type": "WEB", "url": "https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29" }, { "type": "WEB", "url": "https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28122.json" }, { "type": "ADVISORY", "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28122" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": " JWX vulnerable to a denial of service attack using compressed JWE message" }