chore(deps): update module github.com/go-jose/go-jose/v4 to v4.0.5 [security] #6005
Conversation
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
added
dependencies
…ecurity] Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/go-git.freesoso.sbs-go-jose-go-jose-v4-vulnerability
branch
from
cedd6c4 to
2b96c38
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: nalind, renovate[bot] The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick release-1.39 |
|
@nalind: once the present PR merges, I will cherry-pick it on top of In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
renovate
bot
deleted the
renovate/go-git.freesoso.sbs-go-jose-go-jose-v4-vulnerability
branch
|
@nalind: new pull request created: #6009 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This PR contains the following updates:
v4.0.4->v4.0.5GitHub Vulnerability Alerts
CVE-2025-27144
Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Patches
Version 4.0.5 fixes this issue
Workarounds
Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.
References
This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.
Release Notes
go-jose/go-jose (github.com/go-jose/go-jose/v4)
v4.0.5Compare Source
What's Changed
Fixes GHSA-c6gw-w398-hv78
Various other dependency updates, small fixes, and documentation updates in the full changelog
New Contributors
Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.