Elliptic Curve Key Disclosure Affecting github.com/square/go-jose package, versions <1.0.4

  • Attack Complexity


  • Confidentiality


  • Integrity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    16 Feb 2017

  • disclosed

    16 Feb 2017

  • credit


How to fix?

Upgrade github.com/square/go-jose to version 1.0.4 or higher.


github.com/square/go-jose is a Package that aims to provide an implementation of the Javascript Object Signing and Encryption set of standards.

Affected versions of this package are vulnerable to Elliptic Curve Key Disclosure. It suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.