CVE-2025-63811
📋 TL;DR
A vulnerability in dvsekhvalnov jose2go library versions 1.5.0 through 1.7.0 allows attackers to cause Denial-of-Service (DoS) by sending specially crafted JSON Web Encryption (JWE) tokens with extremely high compression ratios. This affects any application using these vulnerable jose2go versions for JWE token processing. The attack exploits resource exhaustion through decompression bomb techniques.
💻 Affected Systems
- dvsekhvalnov/jose2go
📦 What is this software?
Jose2go by Dvsekhvalnov
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion (CPU/memory) leading to extended downtime and potential cascading failures in dependent systems.
Likely Case
Temporary service degradation or crashes affecting availability until systems restart or load balancers redirect traffic.
If Mitigated
Minimal impact with proper rate limiting, input validation, and resource monitoring in place to detect and block malicious requests.
🎯 Exploit Status
The GitHub issue contains proof-of-concept details. Exploitation requires sending a malicious JWE token to an endpoint that processes such tokens, which is typically unauthenticated in many implementations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0
Vendor Advisory: https://github.com/dvsekhvalnov/jose2go/issues/33
Restart Required: Yes
Instructions:
1. Update jose2go dependency to version 1.8.0 or later. 2. Update go.mod to require 'github.com/dvsekhvalnov/jose2go v1.8.0'. 3. Run 'go mod tidy'. 4. Rebuild and redeploy affected applications. 5. Restart services using the updated library.
🔧 Temporary Workarounds
Disable JWE Compression
allConfigure jose2go to disable compression for JWE tokens if your use case doesn't require it.
Set compression algorithm to 'NONE' in JWE encryption configuration
Input Size Limiting
allImplement request size limits before JWE token processing to block oversized payloads.
Configure web server/API gateway to reject requests > 1MB
🧯 If You Can't Patch
- Implement strict rate limiting and request throttling on JWE processing endpoints
- Deploy WAF rules to detect and block JWE tokens with suspicious compression patterns
🔍 How to Verify
Check if Vulnerable:
Check go.mod or vendor dependencies for jose2go version 1.5.0-1.7.0. Run: grep -r 'jose2go' go.mod vendor/Check Version:
grep jose2go go.mod | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify jose2go version is 1.8.0+ in go.mod and test JWE processing with known safe tokens.📡 Detection & Monitoring
Log Indicators:
- Spikes in memory/CPU usage during JWE processing
- Application crashes or restarts after receiving JWE tokens
- Unusually large request sizes to JWE endpoints
Network Indicators:
- Large base64-encoded payloads to authentication/API endpoints
- Multiple rapid requests with JWE tokens to same endpoint
SIEM Query:
source="application_logs" AND ("out of memory" OR "panic" OR "crash") AND "jose2go"