GHSA-675f-rq2r-jw82

Suggest an improvement
Source
https://github.com/advisories/GHSA-675f-rq2r-jw82
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-675f-rq2r-jw82/GHSA-675f-rq2r-jw82.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-675f-rq2r-jw82
Aliases
Published
2025-01-09T17:23:43Z
Modified
2025-01-09T20:11:50.905875Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh
Details

Impact

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario: 1. An attacker has stolen the private key for a key published in JWK Set. 2. The publishers of that JWK Set remove that key from the JWK Set. 3. Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set. 4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.

Patches

The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.

Workarounds

The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.

References

Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40

Database specific 
{
    "nvd_published_at": "2025-01-09T18:15:30Z",
    "cwe_ids": [
        "CWE-672"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-09T17:23:43Z"
}
References

Affected packages

Go / github.com/MicahParks/jwkset

Package

Name
github.com/MicahParks/jwkset
View open source insights on deps.dev
Purl
pkg:golang/github.com/MicahParks/jwkset

Affected ranges

Type
SEMVER
Events
Introduced
0.5.0
Fixed
0.6.0

Database specific 

{
    "last_known_affected_version_range": "<= 0.5.21"
}