Go-jose Project Go-jose — known CVE vulnerabilities
Every CVE whose affected-product data names Go-jose Project Go-jose, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (5)
CVE-2016-9121 — CVSS 9.1 (critical): go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an…
CVE-2016-9122 — CVSS 7.5 (high): go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures…
CVE-2016-9123 — CVSS 7.5 (high): go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication…
CVE-2026-34986 — CVSS 7.5 (high): Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web…
CVE-2024-28180 — CVSS 4.3 (medium): Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a…