Fix CVE-2025-27144 by upgrading github.com/go-jose/go-jose/v3 (!5403) · Merge requests · GitLab.org / gitlab-runner

The trivy scan is:

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/go-jose/go-jose/v3 │ CVE-2025-27144 │ MEDIUM   │ fixed  │ v3.0.3            │ 3.0.4         │ go-jose: Go JOSE's Parsing Vulnerable to Denial of Service │
│                               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27144                 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

The latest version IS 3.0.4.

There's no issue for this CVE yet; I saw this vul while fixing Fix CVE-2025-22869 by updating golang.org/x/net (!5402 - closed)

Edited Mar 06, 2025 by Axel von Bertoldi

Fix CVE-2025-27144 by upgrading github.com/go-jose/go-jose/v3

Merge request reports