AIKIDO-2026-10617
github.com/lestrrat-go/jwx/v3 is vulnerable to Cryptographic Issues
60
Medium Risk
This Affects:
github.com/lestrrat-go/jwx/v3TL;DR
Affected versions of this package are vulnerable to multiple security issues. EC public keys used for JWE and JWK import are accepted without verifying that the point lies on the configured curve, exposing the recipient to invalid-curve attacks that can leak shared-secret bits. The helper that produces a public JWK set also copies symmetric (HMAC) keys through unchanged, leaking secret material when the result is published. The fast JWT signing path additionally inserts the key ID and algorithm name into the protected header without escaping, allowing crafted values to inject extra or malformed header fields.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/lestrrat-go/jwx/v3 is vulnerable to Cryptographic Issues in versions 3.0.0 - 3.0.13.
How to fix this
Upgrade the github.com/lestrrat-go/jwx/v3 library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant