CVE-2025-63811: 
HashiCorp Vault vulnerability analysis and mitigation

An issue was discovered in dvsekhvalnov jose2go versions 1.5.0 through 1.7.0, identified as CVE-2025-63811. The vulnerability allows attackers to cause a Denial-of-Service (DoS) condition by crafting a JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This vulnerability was disclosed on November 12, 2025, and affects the jose2go library's token processing functionality (NVD, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The root cause lies in the Deflate.Decompress function in deflate.go, which uses ioutil.ReadAll to decompress the entire payload from a flate.Reader into memory without imposing any limits on the output size. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) (Miggo).

When exploited, this vulnerability can lead to significant memory allocation and processing time during decompression, potentially causing system crashes and service disruptions. The attack can be executed remotely without requiring authentication or user interaction, making it particularly dangerous for public-facing services that process JWE tokens (GitHub).

The recommended mitigation is to limit the maximum token length to 250KB, following the approach adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure. This limit effectively prevents attackers from exploiting the vulnerability with high compression ratio tokens (GitHub).