You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
While trying to resolve this in my own project, I found that jwx requires this vulnerable version of golang.org/x/text. Can this dependency be updated to a newer version here? I started working on a branch, but I'm not actually sure how to pin a transitive dependency.
From https://nvd.nist.gov/vuln/detail/CVE-2020-14040:
While trying to resolve this in my own project, I found that jwx requires this vulnerable version of golang.org/x/text. Can this dependency be updated to a newer version here? I started working on a branch, but I'm not actually sure how to pin a transitive dependency.
It looks like there is a similar issue with the golang.org/x/crypto package: https://nvd.nist.gov/vuln/detail/CVE-2020-29652. This requires v0.0.0-20201203163018-be400aefbc4c or later.
The text was updated successfully, but these errors were encountered: