GHSA-rm8v-mxj3-5rmq: 
vulnerability analysis and mitigation

The vulnerability (GHSA-rm8v-mxj3-5rmq) affects the github.com/lestrrat-go/jwx library, specifically in its JWE (JSON Web Encryption) implementation. Discovered and reported by shogo82148, this moderate severity vulnerability was disclosed on June 14, 2023. The affected versions include all v2 releases up to v2.0.10, all v1 releases up to v1.2.25, and all v0 releases up to v0.9.2. The vulnerability was patched in versions v1.2.26 and v2.0.11 (GitHub Advisory).

The vulnerability exists in the AES-CBC decryption implementation of JWE, where the code explicitly returns different error messages for padding-related issues. The problematic code resides in the unpad function, which processes the padding in a non-constant time manner and returns distinct error messages for different padding conditions. This implementation violates RFC 7516 JSON Web Encryption (JWE) specification, which mandates that implementations MUST NOT distinguish between format, padding, and length errors of encrypted keys (GitHub Advisory).

While the immediate impact is mitigated by the verification of authentication tags, the vulnerability could potentially expose the system to padding oracle attacks. The non-constant time implementation of padding removal could also lead to timing attacks, potentially leaking information about the padding length (GitHub Advisory).

The recommended mitigation is to upgrade to the patched versions: v1.2.26 for v1 users or v2.0.11 for v2 users. The patches implement constant-time padding verification and unified error messages as required by RFC 7516. Note that v0 versions will not receive fixes and users should upgrade to newer versions (GitHub Advisory).